Isn't the main problem that RPMs can't be installed in the users home directory instead of /? Then any user could install any RPM he wants to without being root. Ofcourse, it wouldn't make sense for system level programs, but for normal applications it would be really nice. It would require a lot of changes to each RPM, but I would say it would be worth it instead of opening for security hacks like these.
Otherwise, / should be uid dependent and therefore each user could see his own version of the installed software base without affecting the other users or the system. I think I read somewhere, that Plan9 can do just this. Can namespaces in Linux be used for this?