Right now, YUI can execute any script, or any method on an object in the data context. In a released game this is obviously a huge security problem, so script access should require whitelisting, such that only the scripts allowed by the developer can be run.

This might be better solved by planned 'embedding' feature, though might still need to be solved to support UI modding (but that's way in the future)