Do you really believe that if Apple wrote their own interpreter for their own custom language that serializes into JSON it would be safer than using one of the battle-tested LUA implementations?
I was suggesting that they don't have executable code at all, that they use static configuration. But it may not be possible within their problem domain, I don't know. I always prefer static solutions until dynamic becomes necessary.