if you wish a simpler solution, that does not compromise your currently implemented security to others than to the concerning enterprises, you could make it possible to use an alternative nppPluginList.json in %PROGRAMDATA%\Notepad++\plugins\Config instead of the default nppPluginList.dll under the following condition.
this must be accompanied by a clearly perceptible (disclaimer) warning confirm box (cancel, ok) that displays a warning like:
“Warning: you are about to install/uninstall Plugins from a custom 3rd party source.
please verify this source before you continue.”
which should be triggered each time someone starts plugins admin, then also each time someone tries to install a plugin in plugins admin, and each time if someone tries to uninstall a plugin.
btw: it does not have to be a json, it could also be an unsigned nppPluginList.dll with an embedded 256.
and now that i mentioned “unsigned dll”:
currently a tempered nppPluginList.dll will just show an empty plugins list.
a good idea would be to check for that too, so you have 3 cases:
default behaviour as it is now nppPluginList.dll is unsigned >
show disclaimer warning nppPluginList.dll is signed by you but tempered (invalid certificate) >
cease operation, issue an alert window and exit plugins manager
alternative solutions need more work for each enterprise request.
pm. me if you like