The documentation on installing Moodle tells users that "it is vital that the files are not writeable by the web server user" and "If you want to use the built-in plugin installer […] it is strongly recommended to use ACL […]. Many people would consider this a brave move for a new site admin to implement".
Hence new site admins are not supposed to setup the server to use the plugin installer, but experienced admins on the other hand don't need to use it, they can git clone a plugin repository or perform actions as ssh root .
That makes me wonder which audience the plugin installer is made for …