I've always been confused by this assertion, too. It's often the justification for privacy of paid plugins, too.
In addition to your example, I can imagine a very defensible scenario where a plugin is "standalone" with a shim layer to connect to WordPress (and maybe other CMSes, too).
Yeah, the infectious nature can hardly infect a third party software, even if the shim itself would be infected.
The one case I just remembered where it was remotely challenged was Thesis [1], but Automattic chose to throw money into bullying the challenger rather than going after the alleged license violation.
In addition to your example, I can imagine a very defensible scenario where a plugin is "standalone" with a shim layer to connect to WordPress (and maybe other CMSes, too).