It would be nice if the simulator had options to disable all outputs from playdate.simulator.writeToFile, or limit outputs to always fall in a certain directory.
On Windows, this is something of an inconvenience since the default output location appears to be the PlaydateSDK directory. On other systems, there might be some exploit enabled due to the ability to create arbitrary files.
Suppose there is some software that requires "some_file.lock" to be created before accessing "some_file", the simulator could block that by writing to "some_file.lock/output.png", since it will silently create parent directories automatically.
There may be some PNG files where having them in your home directory will get you in trouble.
On the plus side, the console will log what the simulator tried to write, although users need to know to look there. My worry is that people just running suspicious Playdate games they downloaded from random places might not notice.