How to handle admin and passwords requests from plugins developers?

Ultimately it is your discretion. It is not possible to effectively limit a user's access to a particular plugin directory when modifying code for WordPress: executable plugin code has as much access to and control over the database and filesystem as WordPress itself does.

You could change file permissions or use server directives to disallow the PHP/web-server user from creating/altering/deleting files outside of the plugin directory - but note that this will prevent all WordPress users, and in fact WordPress itself from modifying such files. But such a solution would likely be quite messy, and possibly introduce more abnormalities.

In general, providing any variety of dashboard, filesystem, and/or database access to anyone without a direct professional relationship with a site is inadvisable. Ideally, create a separate development copy of the site and provide the developer full access to that in order to perform their work. Once they are finished, compare a diff of the files against the original copy in order to review their changes, and the same for the database, if necessary. If everything checks out, emulate their changes on your production installation.

No one else should touch your live site.

What you should do: Create an exact copy of your site, preferably on the same server, so the software context is the same. This second site is the test site that should run with the same theme, plugins, content and WordPress version as the live site. It should, of course also show the same problem.

Protect that site per .htaccess or a similar sever configuration with a password to keep it out of reach for other visitors and bots.

Create a separate admin user for the developer there, then let her solve that problem and explain the solution, so you can apply it on your own to the live site.