Shopify has a full team of people that worry about exactly that
As far as ClassicPress or WordPress, allowing people to securely upload plugins and themes to a shared multisite installation would require a ground-up rewrite. Shopify provides a template language called Liquid for this purpose, with this kind of security as one of its design goals:
Liquid is a template engine which was written with very specific requirements: […] It needs to be non evaling and secure. Liquid templates are made so that users can edit them. You don’t want to run code on your server which your users wrote.
ClassicPress is secure as long as you know what plugin and theme code is running on your site, but allowing untrusted users to upload custom code to a running site is far out of scope for ClassicPress, WordPress, or just about any other CMS. At that point you basically need to run a hosting company with proper separation between accounts and all the other stuff like monitoring for security and resource usage.