That's why I prefer Hands Off! I agree that neither is fool proof but HO allows me to control disk access as well as network access.

If I've just downloaded a new app, I'll have it ask for permissions for every disk access it needs. After a few runs I'll start giving it permanent access to the dirs I'm OK with it using. No app gets to write to /Applications.

It's a little painful to deal with the pop-ups but I like to know what my apps are up to :-)

That's incorrect. Maybe you don't notice it if you're running as an admin, but the /Applications directory is admin-owned; since I'm running as a regular user, I need admin credentials to move items to that directory. I also get asked for admin credentials to perform any file operation in the /Applications directory, including those affecting apps I put there under my non-admin account (with admin credentials). You can make a ~/Applications directory for user-owned apps, and you won't need admin privileges to change that, but it would be less secure.

Sorry, but that's another common misconception.

As non-admin, you have authenticate to create or delete items in /Applications/. However, all items you move to /Applications/ remain under the ownership of your user.

You can confirm this without even opening the terminal: move the directory Foo/ to /Applications/Foo and notice that /Applications/Foo/bar is user-writable.

(Furthermore, admin on OS X (and many modern Linuxes) isn't equivalent to the traditional root account. Using a non-admin account doesn't make the difference you think it does.)

OK, it seems to ask me to authenticate to move a folder to certain directories in /Applications, apparently those created by installers running with admin privileges, but I am able to move a folder to a folder that I've moved to the /Applications directory under my regular user account with authentication without needing to re-authenticate. But since the majority of my apps are not in their own directories, I am still asked for admin privileges to modify them. I am aware that the admin account is not in the root wheel, but the /Applications directory is owned solely by the 'admin' account; just not necessarily all sub-directories apparently.

Every app is its own directory!

Look at blog post I referenced above. It has an example for modifying the binaries inside Firefox.

It does work for Firefox, which I don't use on my Mac, but not for Safari, which I do. It seems first party apps and ones installed with a proper installer are not susceptible to this vulnerability, so you would have to rely on the presence of third party apps that don't get installed with installers. I would guess Mac App Store apps are also protected, but I am unable to test that. You are right that there is a vulnerability, though it's extent is questionable.