Your paranoia is well taken. The freedom box won't be able to defend against $agency using a 0day against squirrelmail, php, apache or the kernel. But they are well advised to only engage this against a very small group of users. Sure, they could use it against everybody at once, but the larger the group, the greater the chances of discovery. So the box would still thwart wholesale surveilance, a thing that is not so hard to get when all you have to do is hook up with a number of backbone operators or content/service providers.