I know what you're saying but you're talking probability more than security. Secure should be considered binary. It's secure (against all known issues) or it's not. Anything else is a form of gambling. Maybe you're only betting a couple dollars on good odds so it's not that dangerous but it's still not secure and suggesting it is in a situation where someone is discussing arbitrary code execution from user input is irresponsible even if it's not that risky.