Hello, thanks for your question!
In the Sonar solution, Security Hotspots are special beasts: we consider them as findings that need to be checked by a human being, whereas for other types of issues (bugs, code smells and vulnerabilities), we are usually pretty sure that something should be fixed.
This is why until recently, SonarLint did not report them locally: we don’t want to mix security hotspots with the rest of the issues in the “Problems” view, it would be too noisy (and potentially hide real issues).
With version 3.14 of SonarLint for VSCode, we enabled the local detection of security hotspots when used in connected mode with SonarQube 9.7+; unfortunately, SonarCloud’s Web API currently lacks some of the fields that SonarLint relies on to track security hotspots, so this feature is not available yet in connected mode with SonarCloud.