@Adobe is to blame
You are right that a document reader (or web browser, email client, etc) should NOT run with any privileges that could allow system-wide code injection, but that is not to say that it *wont* in all cases.
Why, for example, is IE6-8 not separable from w2k/XP, and updates to it generally require a system reboot?
However, there is also the question of a crap document reader being capable of running bad code that could be used in conjunction with OS vulnerabilities to penetrate the system.
In the case of Adobe, it in a combination of crap software (an endless stream of issues, and multi-week delays in patching, that make MS look the golden boy in comparison), a flaky updater (though it is possible they had this centrally managed in a competent manner), and finally some incredibly dumb features such as executing a program from the document! WTF!
http://www.theregister.co.uk/2010/03/31/pdf_insecurity/
So while the OS should be up to the job of protecting against injection, you can start by dealing with open gateways to code execution in the first place.
Remember, in a case like this (wanting to steal valuable documents) simply compromising the user's account is often enough to get the documents. You don't actually need system-wide root access, though of course that makes the black hat's day if they achieve it.
Biting the hand that feeds IT
