But does the fact that Zope has such framework lets us conclude something useful for Jython? To my understanding, it't the Jython that should provide a restricted environment in it's interpreter instance, where the imports would be restricted to a set of allowed ones (or not allowed at all, leaving it to the init script launched on server at interpreter instantiation time).
I see something regarding this in Jython development, but I guess it's far from finished:
I fond it strange that this question is not raised more often, there's very little discussion about this. Seems like a basic security concern for any system to limit the possible damage done by sneaky code. If, some system provides Python scripting via help of Jython, there's an easy way to wipe out files on the users hard disk. Of course, users should be careful with running unverified code, etc, etc, but hey, not always user has information that a system has a macro running feature and that it could be potentially tampered with.