The get_env function could be a security risk, in the case that an app both:

• Allows untrusted users to write templates
• Uses environment variables to store secrets

I don't think that this is a terribly uncommon configuration, and it'd be good to give an option to disable the get_env function in cases where one doesn't need it.

In my opinion, this should be disabled by default, but I'll be happy so long as there's some way to disable it.