A bit more detail:
1. The simplest "User-wide" implementation would look like this: in soapui-settings.xml a new variable would specify the ReadyAPI working directory (or the existing variable 'user.dir' variable could possibly be used). I imagine that from the coding side, the application would change directory (Unix 'chdir') to this directory immediately after loading configuration. This would then be the location in which any log files and temporary files would be created/updated, except where absolute paths had been given, i.e. in soapui-log4j.xml.
2. If #1 could be implemented so as to permit use of a relative path, that would allow logs for a project to be created within the project's tree and make for easier log review and troubleshooting for a failing project.
3. For more flexibility, consider supporting the use of an optional working directory 'override' variable within project definitions, which would cause SoapUI to change directory or otherwise use the specified path for all output.
We would be very happy even if only #1 is implemented in the short term. At least that would deal with the immediate security issue. Thank you, Ashley Hooper