I think that some kind of signature (provided by a trusted source) should suffice. Sandboxing is propbably the most secure thing to do, but it has a few drawbacks:
1) It could potentially limit the functionalities if the loaded code (e.g. access to the filesystem)
2) Efficency, because almost every operation (such as memory accesses) should be checked to be sure the application doesn't try to get out of its sandbox.
3) Implementation: it doesn't seem to be very easy to implement :)
