Ariadne has been designed from the start with security in mind. It has a fine-grained capabilities-based rights management system. Even a user with programmer rights works in a sandboxed environment without direct access to the database or filesystem.
Ariadne has its own query language which makes it immune to SQL injection attacks and since Ariadne 2.7.7 we've even implemented an automatic defense against Cross-Site Scripting attacks.
Templates are how you get Ariadne to do anything. All system templates check for specific grants. Grants can be set on objects and trees of objects. So for anything Ariadne does on any object, the users grants are checked. This is not something which is done once, but it is done on any access to any template on any object.
Ariadne's user and grants system is a hybrid of a Role based and Capabilities based security system. Roles can be added by creating groups and assigning users to them. You can assign grants on groups just like on users. You can even add your own custom grants and check for these in your own templates. Grants trickle down the content tree by default, but not necessarily.
An Ariadne programmer who is allowed to create Ariadne templates in a part of an Ariadne system cannot access the 'bare metal'. Ariadne provides a coding firewall which prevents this. Any template code is scanned and compiled. Any code which is not allowed, like accessing the file system directly, is disabled.
This means that it is even possible to allow different users to create and manage different websites on a single Ariadne system without being able to access other users websites. Ariadne even allows users to create and manage new users and their grants, if so set up, but only for those parts where they themselves have sufficient access.