And that sort of sandboxing would prevent a theme from hiding some spammy HTML in its code? I can think of many ways to do that, some of which don't even involve templating-level functions and just rely on the HTML level alone.
You're comparing apples and oranges here. You can run PHP in "safe mode", as many shared hosts do, to prevent shell access and disk access by PHP code.
The only problem here is one of misplaced trust (and perhaps WordPress allowing PHP in templates instead of using a dedicated templating language). People installing WordPress templates generally a) don't care where they come from and b) don't even read the source code, so this theme could probably include such links without any obfuscation and still successfully spread.
You're comparing apples and oranges here. You can run PHP in "safe mode", as many shared hosts do, to prevent shell access and disk access by PHP code.
The only problem here is one of misplaced trust (and perhaps WordPress allowing PHP in templates instead of using a dedicated templating language). People installing WordPress templates generally a) don't care where they come from and b) don't even read the source code, so this theme could probably include such links without any obfuscation and still successfully spread.