Using latest dev image, I notice the form/process/save/body default setting does not pass security check as it uses the include tag.
So
process:
save:
body: "{% include 'forms/data.txt.twig' %}" # include tag is blocked by security!
can be the text in forms/data.txt.twig
process:
save:
body: "{% extends 'forms/default/data.txt.twig' %}" # include tag is blocked by security!