I think it would depend on your teachers, really. I've seen experienced, advanced PHP developers accidentally drop entire databases before, so let's not think that only some neophyte teacher would do that.
Anytime you give that kind of access to ANYONE, you give up some security (even the webmaster can mess up). I can use th html block and write code that will destroy the database. All you needs is some JavaScript and an iframe.
Even with php enabled, you would still need to know the name of the database to do anything with it. Or the name of the Moodle function that accesses the database. By the time that you would find someone with ability to do all that, you've pretty much found someone who can do it even without a PHP block.
Something like this could be useful for the right purposes, and it could be given to those with the know-how to use it correctly. I say go for it!