There have been numerous stories in the past of IoT sex toys basically being thrown together by people with no tech knowledge and leaving the passwords as defaults, etc. Makes hacking/stealing the data trivial and obviously problematic for the product and users.
For Buttplug specifically, it's just a hardware control library. While there are ways to use network-as-ipc for the system (mostly to establish control from browsers that don't support hardware access internally), it's not recommended as a basis for a service without some modifications.
Buttplug is a core technology of my startup, alongside the user facing Intiface brand (https://intiface.com). I'll be working on more network focused services there in the near future, where I'll be addressing more security focused questions.
If you're curious about some of the beginning directions of that, I posted a full Teledildonics 101 workshop last month on my youtube channel, that goes over systems design thinking for remote intimacy, including some touchpoints on security.
What does project do to ensure security?