When creating a plugin or theme for Grav, it is not only important to follow best practices, but to consider whether your work opens up any avenues of attack for potential intruders to a site. As Grav is a flat-file CMS and reliant on few dependencies, it is by nature more secure than similar systems, but insecure channels can be created inadvertantly.
These are some recommendations for how to best create a secure and trustworthy extension to Grav, and should be considered essential knowledge for any theme- or plugin-author
Grav has limited, modern basic requirements, and notably its flat-file architecture alleviates the need for a database. This is beneficial because a common attack-vector is a system's database. Sanitizing and securing input is a much harder task when the whole CMS relies on a database, and SQL-injection attacks can automatically try to execute SQL-statements even on remote hosts.