For local plugins it works because they do not have the sandbox attribute attached to their iframe.
When you open developers console when observing one of your plugins view in the vSphere Client and look at the iframe encapsulating your plugin, you will see that local and remote plugins are encapsulated with a different iframe element.
https://www.w3schools.com/tags/att_iframe_sandbox.asp
For local plugins there are no restrictions in the iframe sandbox rules, because a lot of plugins would simply not work, however this creates possible security flaws.
For remote plugins the security is the main concern, thus not all sandbox attributes are allowed, we started with a minimal set in 6.7U3 (which for example does not contain allow-popups), after some requests from plugin writers we have added it and it is present in the 7.0U2 as you mentioned).
It is not clear to me, if you have developed a local plugin working as expected for 6.7U3, why would you develop the remote plugin to cover those versions as well ?
