Such code could also install a separate malware binary, overwriting the Firefox binary is only one possibility. If you really want to prevent malicious writes, use SELinux (or AppArmor, I guess).