Someone sends you a PDF exploiting an acrobat vulnerability (to put an example of making someone's else code run as your user), that takes out your browser cookies/sessions/whatever (or just install a keylogger), and sent them to someones else email. Not being admin/root don't enable them to modify the system in ways that your plain user can't, but can do everything else.
They don't. They call your bank after cracking the weak password on your email account for the details, reading your FB page for your birthdate, phone number, relatives and location/address, then authorise a bank transfer.
Lovely example of why so much security advice is rearranging the proverbial deck chairs. The model for the future is privilege separation within an account – a la Apple's sand boxing – but even that is woefully inadequate until, say, compromising your browser on your favorite l0lcat site doesn't let an attacker reuse your banking credentials.
The problem is that at some point, everything depends on a single lynchpin of security. For example, I use approximately 5,000 different passwords, but they're all stored in a single repository that's protected with a very long pass phrase. But, compromise the phrase, or the encryption protocol itself, and BOOM, all for not. Unfortunately, diffuse security risks are difficult to achieve in practice if your goal is ease-of-use. There's a freaking Nobel prize in there somewhere.
@petrilli the problem is that you are storing them in one place :-) either distribute to multiple location or store them in you head. I have a powerful mnemonic to store my 100+ passwords in my head. Hopefuly that can't be cracked. Yet.
bogorad: I'm trying to tell whether you missed the point or are joking. TrueCrypt, FileVault, etc. are good ideas for physical security but they don't help when an active session is compromised, which is by far the dominant threat these days.