What is more secure checking capabilities of user or checking role of user in WordPress plugin development

I would always go for the role “check”.
As in your case: 

if ( current_user_can( 'vendor' ) ) {
    // do stuff
}

Or of course the distributor role as created by you.

This way you can be sure that one is not interfering with the other and you can assign each role to its own “task” (e.g. allowing to edit only a specific custom post type or even his/her own meta-box) even though the capabilities are equal.
About possible security risks I can not judge, that depends all on the capabilities you have add to those roles.
Selecting by rolegives you imho more freedom and has no negative effect as far as I know.

The only thing you have to be aware of is that you have to be consequent in dividing tasks/allowing access when they are for a specific role.

No idea if this is an answer which helps you out, maybe some of the other users here can/will inform you better than I do. This what I wrote is seen from my perspective, so be my guest.

Related Posts:

  1. what’s the meaning of the field wp_capabilities in table wp_usermeta
  2. Add Custom User Capabilities Before or After the Custom User Role has Been Added?
  3. WordPress Capabilities: edit_user vs edit_users
  4. How to Structure a New Role/Capability Scheme?
  5. How to allow Unfiltered HTML in a wordpress multisite install
  6. Limit role to one plugin [duplicate]
  7. Logout users upon login, based on caps/role?
  8. Menu page with minimum capability as ‘Subscriber’ doesn’t allow ‘Admin’ to access it?
  9. How to determine which capability to use?
  10. Allow contributor user role to perform copy operation PHP
  11. Buddy Press restrict the capability to edit users
  12. Getting a List of Currently Available Roles on a WordPress Site?
  13. How do I create a custom role capability?
  14. How to store username and password to API in wordpress option DB?
  15. In Which Contexts are Plugins Responsible for Data Validation/Sanitization?
  16. Send user activation email when programmatically creating user
  17. How to properly validate data from $_GET or $_REQUEST using WordPress functions?
  18. Nonces can be reused multiple times? Bug / Security issue?
  19. Can someone explain what wp_session_tokens are, and what are they used for?
  20. WordPress and PHP Sessions – Security and Performance
  21. Change default admin page for specific role(s)
  22. What is the difference between esc_html and wp_filter_nohtml_kses?
  23. How to Change the Entire WordPress Admin panel Look and Feel?
  24. Nonce in settings API with tabbed navigation
  25. Log in from one wordpress website to another wordpress website
  26. Allowing Custom Capability to Manage Plugin Options
  27. Escaping built-in WP function return strings
  28. What is the difference between strip_tags and wp_filter_nohtml_kses?
  29. WP Cron doesn’t save or in post body
  30. Add Capabilities to Custom Post Type after it has been created [duplicate]
  31. How to add more than 1 user role to sub-menu pages
  32. Odd behaviour with submenu link creation
  33. WordPress restrict plugin file direct access
  34. Plugin development: is adding empty index.php files necessary?
  35. Confusion on WP Nonce usage in my Plugin
  36. How to restrict plugin’s sub-menu pages to admin/subscribers?
  37. How to not let a user with a new role edit users that have administrator role?
  38. Execute plugin for specific user role(s) only
  39. Coding a plugin on WordPress; when should I sanitize? [duplicate]
  40. Correct way check nonce (security) using old Options API
  41. Why do I need to check if wp_nonce_field() exists before using it
  42. query users by role
  43. Is there any way to check for user login and send him to login?
  44. WordPress security issue to output data from user input from theme option form
  45. Hide plugin dashboard menu item for specific roles
  46. get_posts() not working when accessing with a custom user role
  47. Verify if user is wordpress logged in from another app since wordpress 4.0
  48. Secure Pages Best Practice
  49. Securing/Escaping Output of file content – reading via fread() in PHP
  50. Set different custom menu items for different user roles
  51. Prevent third party plugin’s admin page access based on user type
  52. best way to make a WordPresss multisite that is secure but at the same time supporting my plugin development efforts
  53. Video Security just like facebook [closed]
  54. You do not have sufficient permissions to access this page on a submenu
  55. wp_dropdown_roles() to replace option value = code
  56. Create a custom capability to allow an ‘Editor’ to edit only ‘Subscriber’ users
  57. Is disabling test_form in wp_handle_upload a security concern?
  58. How to connect my wordpress plugin to a remote database securely?
  59. wp_nonce_field displaying twice
  60. Is it necessary to do validation again when retrieving data from database?
  61. Hide custom post type by user roles
  62. Checking a WordPress for OWASP top 10 vulnerabilities [closed]
  63. How do I have now a duplicated user entry if this is not allowed (and I cannot replicate it)?
  64. WordPress custom post type capabilities issue
  65. add_submenu_page hooked function must explicitly check user capabilities – why?
  66. Are there any security risks when submitting data-attribute data through AJAX?
  67. Check user’s role and store in variable
  68. Why would you use esc_attr() on internal functions?
  69. WordPress: Custom User Role cannot access Custom Post Type | “Sorry, you are not allowed to access this page”
  70. Is it possible to use WP-CLI in a plugin (or theme)?
  71. Secruity Questions on a timer
  72. How to use gettext for specific user role
  73. Using HTML links within translatable string
  74. Unable to access custom plugin backend
  75. How can I save a password securely as a settings field
  76. How To Create A File Archive in WordPress?
  77. How can I change my assigned user role in WordPress 3.5.1?
  78. insufficient permissions; coding an action for plugin governed by custom capability
  79. Using password protection to load different page elements?
  80. HTML Elements in my WP Plugin being generated in JS. Security and Translated Text Question about this method being used
  81. How to store sensitive user data (passwords)
  82. Enable a role named ‘backend_user’ to access my plugin pages
  83. Add custom parameter for custom user role
  84. How do I make secure API calls from my WordPress plugin?
  85. esc_attr() on hard coded string
  86. how to add security questions on wp-registration page and validate it
  87. How to give custom roles the capability to edit one Menu instead of every Menu
  88. How I can give access to my custom plugin for editor roles user?
  89. Experts opinions needed: How (in)secure is this approach?
  90. Remove all capabilities in separate method fails versus included in method
  91. Remove from a div by class name from post page if post author role is not administrator
  92. Adding admin for specific users
  93. New Users are saved with no role selected
  94. WordPress User Management Departmental Managers
  95. Plugin capabilities
  96. Data Validation, dynamically generated fields (select for example)
  97. Remove default wordpress roles
  98. esc_url, esc_url_raw or sanitize_url?
  99. Plugins in symlinked directories?
  100. how to add custom user capabilities using add_user_meta or something else?