I was thinking that an empty whitelist should implicitly *allow* all. The presence of one or more variables in the whitelist is a signal that the user cares and explicitly disallows anything not in the whitelist. I think this is totally compatible with any existing grub.cfg, unless somebody has some junk similar to load_env [-f FILE] junk1 junk2... The existing code in loadenv.c:grub_cmd_load_env() doesn't even look at argc, so I think it would ignore such junk.
I have some other feedback from irc that I will incorporate, and do a v4 of these patches. The v3 changes to loadenv.c don't completely make sense, as I was trying to react to Andrey's feedback before he realized the whitelist wasn't already implemented.
Thanks,
-Jon