Exactly. Microsoft learned this lesson painfully over many years through macro viruses. Now macros (that is, embedded code in documents) are turned off by default and certain dangerous operations are disabled unless the macros are signed.
Pyspread is no different from Excel or even web pages in this regard in that it will need to sandbox and control what scripts can do in order to provide security for the user. Sure, a pyspread file can only hurt the files I have access to, but on my single-user system that's all my data, including my pgp keys, photo library, email contact list... etc. Proper restrictions are critical.