Re: Ahh, it's application level granularity...
"Adding both problems and you can get any software to do anything."
I believe that hole (that potentially allowed you to take over the elevated privileges of say antivirus programs!) was fixed some time ago.
"if you allow Office full access, you can always use OLE Automation to open documents, encrypt them, and close them again, all with (moderately) easy to access and stable functions"
True, but corporates would normally only allow trusted signed or trusted location macros to run. Even for consumers Office defaults to disabling active content by default and warning you before enabling them.
However, If you have that level of access to Office and you ignore the warnings, malware could just as easily execute a script that encrypts everything of value outside of Office - not just documents. Which is why for all the attempted Office initiated attacks I have seen that's what they do...Also that makes it easier to install and trigger ransom demands.