Thanks for a really scary example! :D
By the way, I was NOT planning this for shared environment.
In fact for a wordpress blog-network which use our plugin http://wordpress.org/extend/plugins/nginx-helper/
Whenever users create new sites, the plugin add new sites id in map.conf file (simple key value pair table of domain-name and numeric-ids for efficient file-handling)
I was thinking to run a linux inotify based script to auto-reload nginx whenever changes are detected in map.conf file.
After your example, I can add some sed commands to my script so any chars like "{' and "}" will be stripped down!
At the end, you cannot guarantee security for anyone, no matter how safe codes you develop. :D
--
Rahul Bansal
EasyEngine - https://github.com/rtCamp/easyengine