After reading the documentation, and the code, I'd suggest that plugins SHOULD actually be utilized for user replacable functionality. A prime example for this would be a login event. Authentication plugins could then react to a login event, and return if a user is authorized for something. This would also potentially allow for multiple authentication mechanisms, such as a Mantis specific administrator, but also single signon authentication with, say, an ldap source.
* To be answered shortly.