In helping another admin on our site I gave the following advise, but not sure it is 100% correct. Can those who known just proof read it and let me know if any part of it is wrong.
This is in the context of using the theme preview button.
Since themes are just CSS and JavaScript running after the text for the post has been returned from the SQL query and does not update the database, AFAIK it is totally safe, the worse I expect you can do is mess up the single HTML page you are previewing.
Unfortunately themes are not 100% safe. Preview will be running in the context of the admin account and it can make AJAX calls to all sorts of routes.
Someone malicious can do quite a lot of damage with a theme, it would be very obvious by looking at the source code, but it is technically possible.
Thanks,
I should have noted for the context that he is forking the Linkify words in post to work with the Prolog reference manual so that when a predicate indicator is used ([module:]name{/|//}arity?) it will link directly to the predicate, e.g. append/3
I don’t see him adding malicious AJAX calls but it is nice to know to look for this when downloading themes created by others. 
The communication on the component development is in a public post for those interested.