In compiled code no. The only way you can limit what gets called is by limiting which modules are available. With interpreted code you can try to limit which modules/functions are called but it is generally possible to get past if that if you are sneaky, you can build calls/code on the fly and if you have ONE thing which accepts a meta-call you are screwed.
The safest way is to run it in a separate machine and limit its access to the rest of the system.
The BEAM is not safe in that respect.
