Using php_eval() is safer than eval(), but does not allow one to change variables. Some users of Views PDF will always want/need to change variables, other users won't. I know that by using eval() I'm essentially granting users with the permission to 'administer views' permission to also execute PHP. There is already a warning on the 'administer views' permission to 'Give to trusted roles only'.
Can we have php_eval() enabled by default, but give the option—on the permissions or configuration page to switch to eval()? Naturally there should be a warning that enabling eval() will allow users with 'administer views' permission to execute PHP—this is very dangerous! The UI option could be: 'enable FULL PHP for Views PDF'.
I realize entering PHP into the UI is frowned upon, but PHP code is currently the only way to do grid layout, and access many features of TCPDF, such as barcodes. Maybe one day UI and code enhancements will make some custom PHP unnecessary, but I think for some there will always be a need to use PHP to modify variables.