There are a lot of apps that use the Groovy-based config(including all Grails apps). To convert these to XML will require a lot of changes and there would be things that are not supported. For example in all the apps I'm currently working in we have a standard setup for the dev environment, but in the production environment, we use an appender for Log Entries. I think it should be the implementer's choice to use Groovy for config or not, and just make the implementer aware of the possible issue.

That being said there are steps you can take to lockdown a DSL using the  SecureASTCustomizer. The SecureASTCustomizer lets to limit what a user can import, what tokens they can use and you can even create a SecureASTCustomizer.ExpressionChecker would allow you to add an allow list check for method names.

I created some sample code at these links:

https://github.com/virtualdogbert/logback-test

https://github.com/virtualdogbert/logback-test/blob/master/grails-app/init/logback/test/BootStrap.groovy#L14

https://github.com/virtualdogbert/logback-test/blob/master/src/main/groovy/com/logback/test/GafferConfigurator.groovy#L62-L141

https://github.com/virtualdogbert/logback-test/blob/master/src/main/groovy/com/logback/test/ScriptExpressionChecker.groovy

I would say this is a good start but you would have to actually integrate it with the deleted code and do a fair amount of testing. There may be other imports that other people would want added to the allow list, based on whatever framework they are using, which is something that could be updated/expanded over time, however being security-minded you will probably want to keep the list somewhat short, and concise. 

Here are some additional links about using the SecureASTCustomizer:

https://docs.groovy-lang.org/latest/html/documentation/#compilation-customizers

https://blog.mrhaki.com/2014/04/groovy-goodness-restricting-script.html

Let me know your thoughts or if you have any questions.