What would be the required change: no longer emit exec if globals and/or locals is provided?

What would be the required change: no longer emit exec if globals and/or locals is provided?

Yes

Kind of depends on how "safe" we want to keep these.
If you're using Python for a server or API backend I think it would be good to have this warning irrespective of globals and locals.
exec("raise SystemExit", {}, {}) could still cause many troubles.

Maybe we could burst the message into "unsafe-exec-used" and "exec-used" ?

I'm not sure. In the example you gave above I can still raise SystemExit. There are probably other attack vectors that we don't even know about.
If you really want to exec, just disable the message? It's a short message name anyway 😄

Being able to raise exception is not the same as being able to read all the env variable and transferring them to a server using requests though. Imo if globals / locals are defined, it probably means everything we'll raise about this call will be a false positive because the user thought about it.

Try exec(input(), {}, {}) and type in:
exec("""\nwith open("file.txt", "w", encoding="utf-8") as file:\n file.write("test")\n""")

I can write to your system, I can read from your system and then print the contents, I can probably even import requests and do it that way. exec should always be warned against imo. Just to make sure users are very sure they want to use it and make sure it can't be controlled by anybody else.

Well that is convincing. Let's update the doc about exec-used with details from this conversation and close this.