No, you can use a third-party BTCPay instance securely by using a read-only API-key from your Blink dashboard. You can find a BTCPay Server in the community chats or in this directory of public third-party instances:
https://directory.btcpayserver.org/filter/hostsI imagine a plugin which will require Master Public Key only. It will then generate addresses (unused only) when their will be a call from the shopping card. Convert the local currency or the given currency to bitcoin (depending on the exchange rate, exchange rate will be taken as average from some exchanges). Wait a certain amount of time to receive the bitcoin (wait for at-least one confirmation).
The rest of the features like invoice generating, paid receipt etc will be as it is like we see in other plugins.
What are the challenges to build one such plugin?