Can I use a javascript function inside SQL?

A community member found the druid.javascript.enabled property and wondered if setting it to true would allow him to use a javascript function inside SQL. The answer is no, but it opened the door to a word about security:

Druid does not execute JavaScript functions in a sandbox, so they have full access to the machine. So JavaScript functions allow users to execute arbitrary code inside druid process. So, by default, JavaScript is disabled. However, on dev/staging environments or secured production environments you can enable those by setting the configuration property druid.javascript.enabled = true.

Here’s a bit more context.