The format of the packets -- whether JSON, XML, ASN.1-BER, or your custom binary serialization format -- does not change your security model at all.
JSON is fine as long as throughput doesn't matter. I know several turn-based games that use JSON, including some that I've worked on myself.
Once you measure your data rate in "packets per second" rather than "seconds per packet," you may find that JSON is too verbose -- or, more likely, that HTTP is too verbose, if that's your transport. At that point, a direct, persistent connection with binary payloads starts making a lot of sense.
I never said anything to the contrary.
My point is transmitting executable code as a communication mechanism does change your security profile. To make it secure you have to basically strip out all execution potential from your data stream and the interpretation mechanisms, at which point you may as well just use an existing serialization mechanism in the first place.
[Edit] For further clarity: I'm not talking about the subject line (which talks about JSON) but rather about the actual question the OP asked, which was using Lua as a JSON replacement. JSON is not executable by default; Lua is. That's all I'm saying is a bad idea.