malware would likely be obvious to most people, you'd have to have an .exe or something and the user to click it, most people know better
but what someone could do is access the internet via vam without the user knowing, i posted it about this on the bug forum as a privacy concern. I could for example post my own plugin, or some other dude's plugin, injected with one line of code which takes 5s to add and I'd get all their IPs. It's possible even to open main browser windows and link to like a google docs file, if they're logged in to google in their main system browser I'll see their name/email. And that's just the a few seconds stuff. Clout-hungry pirates will take the anonymous files and distribute them pretending it's them who posted it making it even seem they're coming from a 'trustworthy' source.
One or more of your patrons gives away access to his patreon account to that site, because what's the worst that could happen when you give hackers your email address, insight towards your whereabouts and behavior & a way towards your credit card
. But XXX thirst gets people to do silly things.
You can stop attaching file directly to patreon. upload to something like mega.nz or google drive, post just the link in the patreon. when your stuff gets leaked there, remove the old file, add a new one or rename it and get a new link and then update the patreon post. The old one that's leaked will no longer work
People will still upload your hard work directly. There are ways to fight against too that but they're not easy. The idea is to watermark the files with an automated process, change pixels/elements in images, text & numbers in text files (models, plugins, scenes). Like for a model you could do a morph value that's "0.152" to be something like "0.15206969" where 06969 would be a watermark.
The only way to fight against watermarks is by comparing multiple files. You can fight against productive pirates too by doing smarter watermarks, not big ones unique to each user. But smaller ones unique to digits of the user id you're watermarking for. Instead of doing a watermark for 6969, you do a watermark for digit1_6, digit2_9, etc. Or the parity of the digits, or some other formula, combinations of them. That way even if multiple people get together and compare their watermarked files, it's not guaranteed they'll find them all an still give you clues as to one of the source of the leaks.
I have something i've been working that helps automate all that for creators but it's not ready, I only work on it every now & then when I get mad at pirates myself