I'd be OK with such an idea if bitcoind listens on a separate port for
connections from plugins, a port that cannot be used for normal P2P
traffic. This could also be a UNIX socket instead of a TCP port.

Yes, can be done this way too. I was thinking about setups where you have services distributed across multiple machines. However a separate port does indeed allow iptables or the like to be used.