I respectfully disagree, my friend.
The in-built mechanism that automagically loads Acad.[lsp[fas[vlx]]] and AcadDoc.[lsp[fas[vlx]]] user files is hard-coded to first search DWGPREFIX prior to searching Support File Search Path (SFSP)... This inherently introduces more security risk. Whereas if the order of operation were to instead first search SFSP (you know, those hard-coded Profile-specific paths that a CAD Admin had the forethought to plan out, implement, and manage), and only if none are found, then search DWGPREFIX, myriad users who employ these user files would have avoided the entire 'acad.lsp' virus/worm scenario and never even have known about it. Those who did not, would still have been vulnerable.
I've even gotten Autodesk staff to confirm, and acknowledge this fact, and still no change to the code-behind the FindFile() Method (which is what causes this).
Autoloader, as I've shared elsewhere, is actually quite good at the few things it does correctly; it has some trade-offs in terms of operation.
That said, in the context of Security, Autoloader is very much a continuation of the same, extremely flawed approach to security. Firstly, you're not going to 'turn off' this feature as even AutoCAD loads its own .bundles now to some extent - and don't expect that to reduce moving forward.
Autoloader is extremely useful for internal, or proprietary apps that makes it easy to manage, and support all APIs, CUIx, and even Tool Palette upgrades, by simply changing the UpgradeCode XmlAttribute's value (GUID string). The one shortcoming to this mechanism, is that it is still relegated to Client/user local disk - the Autoloader mechanism does not search/load SFSP to find ..\ApplicationPlugins\ on the network, as example. These locations are hard-coded. That said, it's pretty easy for one with sufficient IT permissions, to edit ..\NetLogon\<YourLogonScript>.bat to 'push' network saved copies of all internal .bundles to user's local disk at logon.
The trade-off is that despite SECURELOAD, any Autoloader .bundle found within the multiple ..\ApplicationPlugins\ locations is implicitly trusted (which means it entirely bypasses SECURELOAD even if enabled), and the mechanism isn't even smart enough to check for Hidden, etc. folder Attributes prior to loading. Ergo, instead of being relegated to the AutoLISP, and Visual LISP (ActiveX) APIs via Acad.lsp, etc., malicious code can now access ALL APIs that AutoCAD supports (i.e., .NET, JavaScript, ObjectARX [C++ for AutoCAD], etc.).
So the teams that developed Autoloader (left hand), and SECURELOAD (right hand), didn't exactly get together on how the final product would operate in a more complete sense, IMO.
Cheers