If a theme includes 3rd party add-ons, the theme buyers are NOT entitled to direct updates of those 3rd party add-ons, as only direct buyers are entitled to that. So bypassing that limitation by using the theme authors extended license code (even if its hidden on another server) in order to retrieve the update directly from the plugin authors profile seems highly questionable to me.
I understand the appeal and ease of such an approach, but in the end, only the theme author is allowed to have direct access to the updates and the solution suggested extends that direct access to all theme buyers. Extended licenses for plugins are very cheap on CodeCanyon and theme authors benefit much more from including some plugins with their theme and the price for an extended license is already recovered after selling just a couple of theme licenses.
By giving theme buyers now access to direct updates removes one of the biggest incentive for theme buyers to also purchase a separate license for an included plugin (aside from direct support from the plugin author). So either Envato drastically increases the price for extended licenses in order to make up for that, or Envato needs to step in and put a stop to such a delivery method for otherwise unauthorized updates. Or plugin authors have to start to provide all their updates through their own servers and just host outdated versions on CodeCanyon.