It has the possibility of being much secure than Node/NPM. Even if you allow network access, a script will not have access to the file system unless you also grant it file system access. The first time you run a script, you have the option of walking through everything in all the code which requires any additional permissions (file system, network, etc) and individually granting or denying access. Eventually, the goal is to allow for more fine grained access, e.g. scoping permissions to specific paths or specific URLs.
It's not, not unless you can pin a hash and limit hosts in configuration.
On the flip side, I don't think it's much worse than npm.
It has the possibility of being much secure than Node/NPM. Even if you allow network access, a script will not have access to the file system unless you also grant it file system access. The first time you run a script, you have the option of walking through everything in all the code which requires any additional permissions (file system, network, etc) and individually granting or denying access. Eventually, the goal is to allow for more fine grained access, e.g. scoping permissions to specific paths or specific URLs.
None of this is a silver bullet, but it's much better (more secure) than Node/NPM which just allows everything.