I never mentioned proprietary plugins. We have these things called utility libraries. They use
fork+exec to run helper binaries among other reasons.
The utility library is not a trust boundary. If you think it is, then you've already screwed
up. However the resulting exec() is a trust boundary, the kernel provides for the executed
binary to receive different security privileges to the calling process.
If you think about it a little it's obvious that closefrom() isn't the appropriate interface
on its own because it requires you to export all the information about close-on-exec rules
into some arbitrary global structure and then have all utility libraries co-operate to use and
update that structure, whereas CLOEXEC pushes the relevant /security critical/ information
into each individual file descriptor. Sure enough the other systems you're talking about all
have CLOEXEC for exactly this reason. They just haven't fixed it yet and Linux has.