You question is not very clear, can you give an example of what you mean. I assume it is not just using the action builder? and can you expand on the security consequences, has there been any reported?
I guess you mean "which events work"? If you are developing a form that executes on the server, like in a print run, or maybe a flattened receipt for a form submission then any code you flag as run at server will be executed. I would assume the interactive events would not "work". Are you using any LiveCycle server products like Output?