In the current release the restricted execution facility has not been tested extensively and cannot be guaranteed to protect against determined hackers. Also, since the Internet as a whole cannot be trusted, and non-proprietary secure protocols are not yet in widespread use, in theory anything downloaded could be contaminated, no matter how trustworthy the site from which you download appears to be.
See the description of Restricted Execution Mode for a description of the implemented policies.