For one, why does a project folder have a lisp routine in it?
I'm on Bricscad so this isn't an issue, but I sometimes put project specific customization in a lisp in each project file folder. This allows me to add on the fly customization that doesn't affect whole office, just usable by the project team. Some of it is an override to office standards, as required by the specific job.
I too have used project-specific code files for years, but _never_ using one of the automatically loaded Acad* files in DWGPREFIX, etc. for the very reason of mitigating potential security issues.
Instead, I simply have users place their project-specific code in a (strcat (getvar 'loginname) ".lsp") file, in a separate folder (either their personal network space, or a project relative folder; never where .DWGs are), and load the code (if found) as part of our AcadDoc.lsp procedure.
Cheers
[Edit] - Code snippet from version-specific AcadDoc.lsp, where user's personal network space is mapped to SFSP programmatically at session start: