We don't want jk scripts to be able to load arbitrary files on the system. That would allow to break hermeticity a bit too easily.

There are now two guards against this:

• modules are loaded from virtual file systems, so paths outside the root are not accessible
• any import path beginning with ./ or ../ is resolved by the RelativeImporter, which looks only in the virtual file system of the importing module