[asherkin]

The SourceMod plugin runtime is not sandboxed, plugins can access anything that the SRCDS process can access (which is probably going to be the same as anything the user running SRCDS can access).

You should treat a compiled plugin as you would any other executable code. If you're talking vulnerabilities rather than intentionally malicious code (all SourceMod plugins are legally required to be distributed with source code, so you can always audit and compile them yourself), I'd be a lot more wary of SRCDS itself personally.

There's no great risk here, just isolate SRCDS as you would any other server daemon.