The video below is a good example of showing both sides of the coin. The guy that made that video created an excellent power shell plotting manager / heat maps module. He earned his trust not just by creating that code, but also by how he engaged with people on the Issues page of his project. At the very beginning, of that video, he is giving an example of a malicious power shell code in another project.
In my opinion, the person that wrote that script was an imbecile, as he injected that malicious code day one, instead of, as you said, building trust in few releases, and then injecting the code where potentially his base would be much bigger. On one hand, it is easy to blame him, but he just gamed the fact that Chia had no protection for mnemonics, so maybe the blame should be also put on those that enable such things by their negligence.
As you said, it is really hard to check for malicious part / intent, and the fact that the code is “clean” today, doesn’t mean that the malicious part will not be there tomorrow.
There are no special privileges that would make com A have different rights than comp B. So, yes, if you have mnemonics, you can control that address from any installation you want. You can write a script that will be making those changes every other second, basically rendering those mnemonics worthless - thus your plots being worthless as well.
Maybe a simpler answer would be that neither setup is “monitoring” reward address. What it means, the only way to make the UI to notice such change is to re-read what the blockchain says. This action is potentially taken only when you explicitly click on a different panel. Same thing with CLI, once you start it, the address is read. Most likely, it will be read again only when you ask CLI to show it.
Also, having that comp B running, you can see what pool that NFT belongs to, as such you can poll that pool, and do address change just before expected payout, and revert it back to the original one, making the owner be kind of stuck, as most likely such change will be invisible to the owner (or at least, I don’t know how to trace such changes - potentially by contacting the pool directly).