Are there any loop holes if I install my Jira plugin through UPM by descriptor file?

Developing an Atlassian connect spring-boot addon. Trying to deploy it in the instance. Are there any loopholes if I install my Jira plugin through UPM descriptor file?

Can you expand on what you mean with loopholes?

You should only install apps from the Atlassian Marketplace unless you know the source. Even then only when you’re developing app should you install non-marketplace sourced apps.

Just my $0.02