Not much, but nothing says the user needs to be able to type 'rm -rf foo'. Most people are used to OS that are designed to be fast and permissive, but you can code a defensive OS.
What sort of defensiveness do you think will work to effectively prevent -- to make up an example -- an application from popping up a fake login screen that asks them to enter the details, then mails the login info to the attacker and the program to all the victim's friends, without making the system unusable? Signed binaries where the signature describes the level of access might work if you don't allow it to be subverted by the user, but at the cost of essentially losing control over what you can run.i
I can't think of an especially usable uber-paranoid defensive system, although I'd definitely love to be proven wrong. Essentially, the problem isn't a totally technological one. The core of the problem is that the user can effectively be convinced to be their own attacker.
