There's no need for system level access in some cases....
No, you need system level access to hook into IOHIDSystem to bypass user space security mechanisms. Everything else you mentioned has nothing to do with bypassing user space security mechanisms.
so the only way I can think of is if the admin user uses a third party mail application such as Thunderbird that was installed with a non privileged user and infected
Does Thunderbird use keychain? If it does, set up the keychain properly. If it doesn't use keychain, then don't use Thunderbird.
The whole point of using the infected target's email account is to spread the malware to the user's contacts utilizing the user's email address to increase the success of social engineering ploys while trying to spread the malware.
If you just want to send out spam, make a bunch of email addresses to use to send spam. No need to infect computers just to send spam. I get spam emails that are not actually addressed to me all the time.
Botnets are used to send spam. But those botnets also install other payloads. Killing two birds with one stone.
But again, the fact that I am unable to think how to make it profitable, doesn't mean that someone won't.
Why bother going through all that effort to maybe profit from the user data on a Mac when you can plant rootkits in Windows XP systems with only a browser exploit and have that malware send you valuable sensitive data, such as bank login passwords and credit card data, collected by a system level keylogger?
Some keylogger malware use form grabbers to send the attacker only that valuable data so that the attacker doesn't have to search through the rest of the user's non-valuable keystrokes.
I simply think the same thing about relying on Unix security without applying user knowledge.
Obviously, that is true. The whole point of using DAC by default is to make it possible that applying user knowledge is actually pragmatically useful.
Trying to apply user knowledge when simply visiting a website easily provides system level access, as in XP admin accounts, is not possible.
The only point I am trying to make is that users are more vulnerable if they don't know what they are doing and they sometimes forget that some applications may be modified without needing system privileges.
Modifying those apps does not provide system level access. So, no rootkit install. No keylogger that can log passwords and sensitive web form data install. No form grabber install. No to anything that makes profitability worth the effort.