I gather that what you are actually looking for is what changes can be propogated via the symbol table back out of a Safe module.

That's just it. So the fact that a new symbol table is used for the untrusted code is (at least partly) responsible for creating the sandbox. And that guarantees that whatever package statements are encountered won't violate the boundaries imposed by Safe. Well I think that's very good!

Thanks for your help diotalevi.