(Another, updated answer for 3.0 as this question becomes more commonly asked)
So, this is a common question that comes up. https://github.com/godotengine/godot/issues/7753
Essentially you are limited to...
Throwing security out the window and letting people create their own GDScript code. This is what the current answer to this question would be. Just let people create their own GDScript (or VisualScript, or CSharpScript, w/e), and have it reference the assets and whatnot. Then, just plug the assets and scripts into a folder and write your game content so that it scans for that folder to look for pluggable scripts when it starts up. This effectively lets people run whatever arbitrary scripts they want though, so there is no 100% secure way of letting them execute those scripts (since scripts already have OS and network access, among other things).
Waiting until someone implements some sort of sandbox support to protect the local operating system while the game executes (based on the Issue linked above).
Design your own scripting methodologies for your unique project. Examples include...
a. creating a custom VisualScript editor using custom
b. creating a custom text-based scripting language.
c. creating a data-driven game where players can edit the data files (editing JSON data or something) in order to modify what content is available in the game.
...or any combination of the above 3.
Note that most other games with modding tools will essentially have created their own in-house tools for editing game content, but those tools will be for their designers and artists (and you as a modder are using those tools), whereas the programmers deal with an entirely separate layer of more detailed information. If you think of Godot as the programmer layer, you would effectively need to create the entire "designer layer" by creating a new layer of the Godot engine that is exposed to them. For example...
If I create an entirely separate Godot project that is the "modding tools" for my game, I might have a base PanelContainer with a GridContainer, some side-docks for FileSystem access, a Viewport in the middle for seeing the world, possibly having an "edit Script" setup that is VisualScript based, but filled with my own custom nodes, etc. Hmmm....this is starting to look more and more like me re-creating the Godot Engine. That's because you basically are re-making Godot, just in a much more restricted and controlled environment that helps prevent people from mis-using the engine's local access to the operating system and network protocols.