Isn't it dangerous to assume all malicious programs will use scratch files before communicating across the network? Won't you miss programs that use purely in-memory structures?
Yes, it is. And that was just a simplified example. In practice if you were running something you were very distrustful of, you would block access to almost all of its file access. You also wouldn't leave it running for long enough to feed it enough keystrokes to get you into trouble. But even if you did, you would catch it with all the file opens (and network connection open's) before it could transmit your keystrokes and get you into trouble. In practice many file open()'s are required to perform any function.
