Historically, CI was insecure. The ability to run full tests means that you can run arbitrary code on it, and historically CI test runners were not as 'isolated' as they currently are, so you had all sorts of opportunities to hijack the CI servers... a whitelist was needed. This was worked on in the CI isolation project, and now we do have nice isolation. I don't know why the whitelist was not removed, considering it was part of the long term plan. (perhaps to prevent, say DOS attacks?)
Since the last gerrit outage no test where done for CR+1 users. I guess this was introduced to prevent Jenkins running thousands of jobs after patches where vandalised. I think this would be ok for me. In a first step hints can be given by reviewer which is more readable than the test log. And CR+2 reviewers can “recheck” the code during the review process when appropriate.
I don’t think that we will go back to the previous state as patches where tested automatically since this vandalism impact and we can close this task or maybe have to close it due to this.