Within Anarki all the file serving was done out of the special docroot directory (at least it was a month ago). I'm not sure if disallowing "../" is what we want or if it what we really want is to ensure that all file serving comes from that dir.
This why the whole "network of trust" concept as it relates to massive distributed software projects is important. I'm sure if Arc will do well then PG will need to establish people whom he trusts to aggregate packages and give him only the good ones in order to cut down his personal time investment. Some guys on this forum are definitely knowledgeable enough and motivated.
This what is broken in Arc right now - essentially we can't fix anything of this scale (or arguably anything non-trivial). If we do there will be merge nightmares when PG releases the next official version (and every subsequent release). All we can do is mention problems on the forum and hope he notices and changes things in the next official release.
I believe this would be solved if we shared a repository system (git) with PG in which we could sumbit patches which he would hopefully approve and merge in. Or not approve. Or delegate the sifting out the good patches to someone who knows what they're doing / shares the proper vision of arc.
I don't think that would fix it, as PG would probably refuse most of the patches anyway. It's not like this forum has a lot of traffic. Patches are unlikely to get lost in the flood (12 articles in the last 24 hours, and PG last commented 18 hours ago).
The two ways to get changes into Arc, as far as I can see, are to find a bug or write some real-world code that proves your suggestion is a good one. With so little real-world code around, that means very few changes will make it.
On the other hand, the last release was all about merging News.YC so there's no surprise that it lacks new features. Who knows, perhaps the next one will incorporate half the stuff from Anarki? We have very few data points from which to draw a conclusion.
Don't be disheartened, brother. It seems to me Mr. Graham gave us all a first cut to get exactly this kind of feedback, but the core language isn't yet fully baked, and so we should acknowledge that we're at the very beginning of a long journey. I'd be surprised if Linus Torvalds was merging in kernel patches from anyone besides himself in 1992.