I was fixing a couple security holes in CBA this last week when I began to dig a bit deeper into issues with compileFinal and function caching using uiNamespace.
I realized that in CBA if you currently disable our function caching system (that stores the cached functions in uiNamespace) in a editor mission and load that mission before ever getting in multiplayer you can hijack a cached by using compileFinal in uiNamespace to inject a protected function in an existing namespace. When CBA then tries to cache the real function into it, it will not load the new function, but retain the original code compiled into from the editor.
We solved this issue in SQF, but then I thought about any arbitrary functions that are defined in SQF functions that are also executed in uiNamespace. I found a number of these functions defined in the BI GUI SQF code. Using compile final in a mission editor I am able to hijack that variable name, and when Arma calls that SQF in the GUI (using the options menu GUI right now) it will fail to overwrite the hijacked variable and use the one I set in the editor instead.
Using the userconfig folder you can preprocess and load sqf files that will never been seen by signature checking because of how userconfig works, this allows easily loading exploit sqf libs.