"The user has to log on specifically as that user to do that - no privilege escalation is allowed."
And in that one sentence you have nailed the problem. Privilege escalation is not supposed to happen, short of giving the admin password (a whole set of FAIL! for another day's rant), but it does. And because all software, be it application, OS, or low level hardware driver, has bugs of one form or another it is inevitable that someday someone will find it.
That is why dreaming up ever more complex OS models to try and stop this is never going to be that successful. Sure we can segregate user accounts from admin tasks, and we can use things like SElinux/AppArmor to enforce the expected behaviour of process that have high privileges to reduce what p0wning them can do, but we can never be sure.
And that is why a backup machine has to be physically and administratively separate from any machine that can be taken over from the Internet access or portable media, etc. And it has to assume that files might be trashed, so some point-in-time model for data recovery needs to be implemented.