Many thanks to you @nathaningram
About security. Let’s do an example. Imagine the plugin saves an old version of All In One WP Migration. The folder will be something that looks like
pr-a3c0ed79-7.55-ver-all-in-one-wp-migration
To access any file inside that folder the hacker needs to guess a3c0ed79.
That key is an md5 of a timestamp. It’s not possible to guess it.
For example, the main file will have a path that looks like
[main-path]/wp-content/plugins/pr-a3c0ed79-7.55-ver-all-in-one-wp-migration/all-in-one-wp-migration.php. If you don’t know a3c0ed79 you can’t guess the path of any file. And in no installation, you can see the content of the folder [main-path]/wp-content/plugins/. You have to purposely delete the index.php file that WordPress automatically installs in the plugins folder. It should be a user with FTP privileges who want to do something against the security.
The next version will also have a feature that makes sure that that file is not deleted by the user, and recreates it if absent.
I already thought about security, this is why the folders include an encrypted key. Accessing the old version folders is similar to guessing a difficult administrator password.
Of course, if you have a website you have something that can be exploited, but I can say this plugin doesn’t add more vulnerabilities than you usually have with a WordPress site without this plugin.
I can even say that it’s more probable a hacker exploits the current plugins, rather than the saved copies, because the saved copies have an encrypted title, while the current copies have a known title.