Blender is effectively using eval()
and has no attempt at making the expression secure
(Lookup sandboxing CPython, its not trivial).
This is why Blend files have an option Trusted Source, for more details see:
http://wiki.blender.org/index.php/Doc:2.6/Manual/Extensions/Python/Security
For the C code, see BPY_driver_exec
https://developer.blender.org/diffusion/B/browse/master/source/blender/python/intern/bpy_driver.c$172