Correct me if I am wrong but I suppose that users of moodle cannot execute any php code they want... through file system (repository) of moodle. If I remember correct for example php files that you upload to moodledata with file upload are handled as text files - not php files. On the other hand tex filter does sanitize the code that it sends to executable latex binaries and Imagemagick/Ghostscript.
The risk of some kind of attack might be similar to allowing your teachers to add/use any custom javascripts, flash files or iframes - they make some attack types possible but it does not mean that your teachers could hack your site.
And if you don't want to allow functions like system() or shell_exec() that tex filter is using you can use some other math renderers like javascript based MathJax