Is this because of a bug and might be fixed in the future or is it considered an unavoidable consequence of some design decision and will stay that way for the foreseeable future?
From what I understand about Rust, if something similar was possible in safe Rust it would be considered a bug and eventually fixed.
I think it will stay that way for the foreseeable future (but who can say). Ways to fix the particular hole:
(1) disable creating new `code` objects directly from Python. This probably would break lots of things.
(2) Add a bytecode verification mechanism that would reject `code` objects whose bytecode would result in memory errors when executed. This could be a lot of implementation work; I'm not sure.