A possible core modification is to look into providing a sandbox for modules contained within a seperate site domain when accessing the database.
With our site we have the main website and will be soon introducing societies to have their own subdomains of our site, some sites will be given the ability to have custom modules installed onto their sites.
However as a protection mechanism, at no time must such a subdomain have access to tables such as tl_member, we will be vetting modules and checking for all database reads but some additional protection would be good.