You are completely right on this, I can confirm this through my own testing with a freshly spun up Discourse instance. I went ahead and updated the documentation with instructions that actually work which consist of logging into the server and manually disabling the addon:
cd /var/discourse
./launcher enter app
rails c
SiteSetting.proxytracer_enabled = false
exit
exit
I can confirm that safe mode is inaccessible when the “Enabled for All Visitors” setting is enabled and someone tries to access safe mode while connecting using a VPN/proxy.
Indeed, an about.json is redundant for standard plugins, I went ahead and removed it from the repo.
Thanks for all of your feedback @Moin. If you have any other remarks or suggestions feel free to leave them here. The code is fully open source and any contribution is welcome: GitHub - ProxyTracer/discourse-proxytracer.