I wrote another blog about a similar issue with Sudo, and, in general, about why it is hopeless to prevent malware this way. Once this goes through, I might write a third blog talking about why, in more abstract terms, this problem won't be solved on the current user-separation paradigm. PR has the blog right now, hopefully they'll approve it (I'm sure they will), then I'll post a link to it here.