I really have no knowledge of the architecture of the plugin, so I'm using an old embedded webapp project i've worked on before as an analogy.
I wholeheartedly agree with your previous statement — however, i expect that the IE window that's opened by the plugin is not the general instance of IE and that it hence would not necessarily use the shared user settings ; or it would use a copy of those settings.
I've had a similar issue when I was working on an embedded html/js app for iOS. In that case, I ended up tweaking the security settings of the WebView instance that was used within the app ; which did not change the whole user settings of the device. In this context, when we know precisely what is going to happen and for how long, I think it is acceptable. It's not like the webview has an address bar or anything that could let the (lambda) user do anything else than authenticating on sketchfab.
Again, this is a mere analogy which I hope works in our case