It is possible to restrict access for CMS templates to variables like $portal or $serviceLocator. Nevertheless, it is still possible to gain access to services using the getClass().forName trick, and thus any person able to create a CMS templates (even on private pages) would have possible access to much more that we would like to.
As I see it, it would be good to somehow block accessing the forName method from Velocity (and perhaps some other similar security holes, if there are more) - however doing it, combined with restricting acess to variables like $portal, would make templates much less powerful, while portal administrators would sometimes like to utilize their most powerful abilities.
Thus I propose adding a flag to each template, "restricted" - and allow only users with appropriate permission (which by default only OmniAdmins would have) to save a template with this flag unchecked. This way admin would be able to save template without restrictions and make it work with powerful features, and at the same time, if regular user modified this template and saved changes, the flag would get automatically checked, and his version of template would be restricted in access to fragile portal machinery.