This is the first I've heard of electron running without a sandbox. If this is correct, then the security implications are much wider than just sex toys; I had (perhaps naively) presumed that since electron is chromium-based it shared the chrome sandbox strength.
To the plug? If you have a programming device or the firmware enables it. I don't think this should necessarily be changed in the interest of open firmware. Sure, a client app probably focused on threats from the other direction, even if this application strongly hints at the dangers from the backside. Or maybe that motivated a relaxed approach in the first place. And if the vulnerability is in the SDK from the BT-chip, the plug developer isn't even the culprit.