[Exim] potential security issue in Exim user filters?

If a user filter file contains a vacation command (or a mail.. expand

file.. command), the expansions are allowed to perform lookups, eg:
    ${lookup{powerusers}nis{netgroup}}
Would I be correct in assuming this applies to SQL etc lookups too?
I'd like to enable expand for my users, but not allow this sort of thing!

Matt (about to re-subscribe now he's got Exim working in his new job :)