CONFIG = {
    'SECRET_KEY': 'super secret key'
}
 
class Event(object):
    def __init__(self, id, level, message):
        self.id = id
        self.level = level
        self.message = message
 
def format_event(format_string, event):
    return format_string.format(event=event)

If the user can inject format_string here they could discover the secret string like this:

{event.__init__.__globals__[CONFIG][SECRET_KEY]}

https://lucumr.pocoo.org/2016/12/29/careful-with-str-format/

https://book.hacktricks.xyz/kr/generic-methodologies-and-resources/python/bypass-python-sandboxes#python-format-string