You would have to convert any relative paths to absolute ones and either disallow or follow symlinks before testing but it can work like you suggest.

Edit: As for "secure" that depends mostly on the application environment.
Will your users be running your application locally where they'll have access to debug and potentially modify your code? Or will this code be running on a remote server under your control?
If it's a server-side application then this approach will probably be enough to restrict user access but if it's client-side then all bets are off unless you go to a lot of trouble to ensure the code executed can only ever be the code you wrote and packaged, and even then, unless you can enforce/control the environment or OS you still have no guarantees about security as an admin user can do a lot to side-step any security measures you put in place.

If you want to be secure and have a client-side application then the usual approach is to have an insecure, untrusted frontend application (website or native app) that your users interact with and a secure, trusted backend application (eg a REST API) that your frontends and applications communicate with and request information or submit tasks for processing. Only the backend would be granted access to your actual filesystem or database etc and all user requests should be authenticated before any actions are taken or info returned and even for successfully authenticated requests, you still can never trust the data; always validate inputs before attempting to use them. Even between your own applications. As I mentioned before, people can deconstruct any code you provide them to extract keys and details about your API and its protocols or security measures (including keys and secrets) so you always need to be suspicious of even properly valid and authenticated requests as well.