One of the NPP maintainers responded with:

Notepad++ & its plugins are installed in “Program Files” directory by default, which means hackers would need admin privileges to replace any plugin. If a hacker gains such privileges, they could also replace all the DLLs in the system32 folder. By the same logic, once Notepad++ is compromised in this way, any applications or executable binary (*.exe & *.dll) on the system could potentially be replaced. Or am I missing somethings?

Which I suppose is true. You could argue it is a way to persist malicious code once you do have access, but it seems unlikely and not that useful. Low severity if anything.

You’d need to have some general attack script that can adjust (or create proxies for) dlls maliciously on the fly, without prior knowledge of which dlls are encountered. Only in that case could the exe maybe detect malicious changes to the dll and stop execution. But a targeted attack using a compromised NPP distribution wouldn’t be covered with such a check.