I'm surprised that none of these global objects are set to not-configurable/not-writeable :/.
And yes, the general case of running untrusted js code in the same environment your code isn't safe.