Summary: download random shit from the web and get saddled with malware because humans are fallible. The end.
There's a reason that anti-malware software on Windows is so popular. It's not because Windows is a crappy OS, it's because people tend to download far more third-party software there than on Linux. Sort of. Except that pretty much all your software on Linux is every last bit a huge hodge-podge of random third-party apps as it is on Windows, it's just that Linux distributions (and Mozilla, as it happens) funnel all that third-party software through some over engineered, time wasting, bureaucratic software repository process with the assumption that that somehow magically means all that code is clean and friendly.
In the end, either the user has to be responsible for reviewing what runs on his computer (and who the hell has the time for that, much less the know-how, given the massive amount of highly complex code that makes up the simplest of modern computing systems?) or rely on very sophisticated tools to help catch or stop misbehaving software.
For example, why does Firefox allow any ol' plugin to connect out to any ol' site without first asking the user to confirm that the plugin is allowed to do so? I mean, I know the reason is "nobody thought of putting in the extra effort to make it do that," which is really the same reason why we're just now starting to see sandboxed processes for individual sites instead of doing it that way from the very start. The result though is the same: either the environment has the tools and smarts to protect the user or the user eventually gets fucked, and it turns out our environments don't have all that many tools or smarts.
Simply pretending that the user can never get malicious software in the first place is a never-ending journey along Failure Way. I don't care what kind of review process or approval system or trust web you put in place. The user will eventually get malicious software, either because your system fails or because he just decided to go around it.
Assume he absolutely is going to end up with some malware, and then figure out how to make sure that malware can either be automatically detected and removed (as with most malware scanners) or just manage to muzzle it so it can't do any harm (for example, as with many Windows firewall packages, including even the rather limited default firewall on Windows Vista/7 which goes way beyond what any Linux setup I've ever seen offers in terms of protection from locally-installed malware).