I'm just going to pitch in and say that I think that loadstring()'ing arbitrary addons is a horrible, horrible idea. The security implications are mindblowing, and the things you'd gain in exchange for the cost you'd incur just simply isn't worth it. Addons are already free and easy to find, install, and update.
What this basically boils down to is "Give me root on your box so I can fix Problem X for you." It's the WoW equivalent of running a VNC server. You don't give VNC access to anyone you don't absolutely trust, and I think that to expect the WoW community to exercise the correct level of caution and security prowess is naieve at best.
The problem is that you can hook and modify addon code very easily at runtime, and if you were to expose any level of functionality powerful enough to be useful, it would be enough to ensure that the base addon's signature checking, trust validation, and other security measures could be bypassed by loadstring()'d code. It's very difficult to protect UI code without a harsh setfenv, but if your setfenv is too restrictive then the whole concept becomes pointless anyhow. It just takes one, and then you effectively have a backdoor in your WoW install for anyone with the desire to execute whatever they want on your machine.
I said it in IRC, but it was a bad idea when Kenco toyed with the idea for KTM, and I think it's a bad idea now.