"Wouldn't messing with the Applications filesystem require root?"
Not for user-installed applications; those are usually not system-level protected. Which is why a ransomware application could merrily encrypt a bit of anti-ransomware--which would reside in the Applications filesystem--without that very anti-ransomware noticing itself being encrypted, if the Applications filesystem is not being watched.
Fine-graining is all very nice with the permissions, but root needs to be root (in case of a seriously banged-up system, you need to have an account capable of fixing it. Trust me on that. Been there.) I'm all for more dexterous permissions, but that's hardly likely to happen in a consumer OS. Granted, the system-level filesystems on MacOS are safeguarded relatively well (compared to certain other players), but the problem remains that the Applications filesystem has mixed permissions depending on who installed what, so remains vulnerable with most user-installed apps being part of Userland.
Yes, I know I'm borderline paranoid. Which I figure is a good thing if you're a sysadmin.