The point is that you don't want this convenience, implemented in any way. You want to be sure that all the invocations of stuff like `ssh` or `sudo` or even plain `cat` would actually come from your OS userland, and not some executable that happens to be in the current directory.
With this, it's only run from cwd if there is no "ssh" in PATH. It's basically the same as putting "." at the end of the PATH though.
Putting "." at the start of PATH is probably not a good idea (and probably also not very convenient), but putting it at the end should be mostly harmless for most desktop users.
It's better than putting '.' at the end of your path though, because your PATH is inherited by non-interactive processes (like the compiler run by 'go get'), while command_not_found is only for your interactive shell session.
The vulnerability this post is about is one where command_not_found is safe, but a '.' at the end might not be (if you don't have 'gcc' installed, but the malicious repository you 'go get' included a 'gcc' executable)
