The only real solution to the local user problem, I would think, is walls of separation. At
the simplest level, never open a file a user asks you to open; always copy it and run chmod
600 over it first, then check it, then open it. At a larger level, design things with clear
gateways; documents have to be loaded onto the server with FTP/CVS/SVN/HTTP, wherein they get
checked before distributed. Don't trust anyone with log-on access that you wouldn't trust with
all the data on the computer.
This doesn't work in some environments, like a shared university system, but I would consider
those secured as much by the university's power over those who access it then any software
protection. I certainly wouldn't trust such a system for anything even slightly sensitive.