Comment by nine_k

I expect that the entire mode is implemented in elisp-mode.el. It's based on lisp-data-mode, but I don't expect that to handle macros (should check though).

Looking at elisp-completion-at-point and likely deeper into elisp--completion-local-symbols, I'd try to find where macroxpansion occurs, and make it conditional. Same for the explicit emacs-lisp-macroexpand.

I would also search for `(eval ` in general and maybe put it under a buffer-local flag, too, so that you won't press C-x C-e or C-M-x and execute malicious code by mistake, when you know you're working on a piece of malicious code.

Maybe instead of a defcustom, it should rather be a minor elisp-paranoid-mode which would do all kinds of things to prevent execution of the code in the buffer, or the code the buffer refers to, etc.