I agree. From my reading at: https://www.postgresql.org/docs/9.5/static/sql-copy.html the COPY FROM PROGRAM is only available to a PostgreSQL user who is database superuser. That, sort of, implies to me that said user is trusted not to do "evil", but abide by the restrictions place upon him/her/it. In some strange reality where this is not the case, and I was running on Linux, I would use SeLinux in enforcing mode to really restrict what the id under which the server is running could do. That is, a "don't allow unless explicitly allowed" type policy. Or I'd "sandbox" the PostgreSQL server code using something like docker, or under in a virtual machine with little access to other services.
PostgreSQL version is 9.3 and O/s is both linux and windows.
I was trying to understand from both O/S perspectives that what kind of commands can be run using COPY FROM PROGRAM which can have an impact. Thanks for all the information!