As I mentioned in this post, additionally dependencies which are pulled in are also an attack vector.
In plugins it is quite easy to install additional Gems. This is quite invisible for an admin.
Further more, it does not look there is an SRI in this approach. I’m not that well known with the Ruby ecosystem, is the Gem repo immutable?