You raise a valid point, but I don't know much about security. To be honest, security through X.org is problematic in many ways. Even if you restrict normal touch events, everyone can still get raw touch events.
I believe the "correct" solution is to use the XACE extension, but I'm not very familiar with it. However, I think most distros use the XAUTHORITY mechanism instead, to keep clients from even connecting to displays they shouldn't have access to. It's assumed that if some malicious software has access to your X server you've already failed.