pickle is always enabled

[KennyChenBasis]

The ability to support object arrays using pickle was recently added, but there doesn't seem to be any way to disable pickle for serialization/deserialization. One of the reasons to use msgpack is that unpickling can execute arbitrary code, so forcing pickle to always be used removes that reason. However, it should be easy to add a user-configurable option to control whether pickle can be used (e.g. add a keyword allow_pickle for encode and decode) so that both use cases are available.

I also suggest that pickling defaults be the same as numpy's (i.e. allow pickle during serialization, but disallow pickle during deserialization) since it provides the maximum functionality while being the safest.

I can write up a PR if that would be useful.

[lebedov]

Sure - feel free to send in a PR.