How about a middle ground option which could be the default, namely to run "specials" if they invoke only the commands "convert" or "zcat" (list read from a configuration file I suppose) and if connected to a tty queries the user about any other potentially insecure specials. This would fully solve the security issue while causing less disruption to users.