They can run any code. You can use checksum and such a site centralizing would be in the clear as it doesn't contain any copyrighted material, only hashes (perhaps including cover art would be a problem?)
As far as I know there exists one specifically for switch (nswdb.com, which is used by a common dumping tool to verify if your dump is valid or not) and another for basically every console but the switch (for some reason) run by no-intro (datomatic.no-intro.org)
Another site that only cares about disc-based releases is redump.org, which has quite a few dumping guides in their wiki.
In general emulated code should only be able to interact with the emulated machine, not the host machine running the emulator. But there's no specific sandboxing and there have been cases of bugs in emulators that allowed specially crafted roms to execute code on the host (https://scarybeastsecurity.blogspot.com/2016/11/0day-exploit...)
As far as I know there exists one specifically for switch (nswdb.com, which is used by a common dumping tool to verify if your dump is valid or not) and another for basically every console but the switch (for some reason) run by no-intro (datomatic.no-intro.org)
Another site that only cares about disc-based releases is redump.org, which has quite a few dumping guides in their wiki.