I'm using the latest version of MU, and noticed that plugins, no matter what their nature, all go in the same directory. Although one can prevent their plugins directory from being browsed, any of the contents of that directory are still visible by default to the world, i.e.
1) Although there are thousands of plugins to choose from, a hacker could still guess that a target site would be running any of the more popular plugins and confirm by going to http://site-name/wp-content/plugins/plugin-name-here/filename-here, or
2) the hacker could use a fingerprinting tool like plecost to inventory a target wordpress install.
In both cases, sensitive information like plugin name, version, wordpress version and so on are exposed. I mean, what's the point in having Wordpress Firewall installed if a hacker can go to your plugins directory, see that it's there, and potentially bypass it?
Again, the fact that there are a lot of plugins is an example of security by obscurity, which is really no security at all, since with brute force tools like plecost, it's trivial to bypass that hurdle.
Would it make sense to have a separate directory for sensitive plugins like Wordpress Firewall, that can be protected with an appropriate .htaccess file?