Quite. I don't think there is a solution that's going to work everywhere and the current version is simple and effective for most people. I fixed my InteractiveUI.hs to ignore g+w if the group that owns the file is my group, but that's completely wrong at sites which have some users in shared groups. I guess there's no reliable general test for a UPG except with local knowledge. There's certainly no fix for the shared directory situation that isn't also going to let dubious .ghci files through elsewhere.
Unfortunately I can't think of any better option than to leave it as it is with a note in the manual indicating the default permissions-checking behaviour is and where to look in the source to change it if necessary.
To subvert GHCi's paranoia, just put this in your $HOME/.ghci: :def source IO.readFile :source ./.ghci (for extra marks, you could make it check that `pwd` /= $HOME, that you hadn't already loaded ./.ghci). Cheers, Simon PS. quite embarrassingly, it appears that GHCi just goes ahead and reads $HOME/.ghci even if the permissions are unsafe. Time for another release methinks, before GHCi gets its first CERT advisory :)