It doesn't matter how clever you are... at some point, some session will have to run with more privileges than the user in order to be able to do something.
Or, as here, the session gets taken over as "just a user" and steals all their data / credentials anyway and tries to move deeper by finding more.
The problem of privilege separation can be fixed today, the tools are there. The problems described here aren't helped or hindered by privilege separation.
To be honest, what you have to have is an enormously fine-grained permission system no matter what, and that - in itself - is a recipe for disaster. Eventually you get to the point where you need to deploy tools to find out what permissions are given as certain users because it gets so complex.
Or you could just patch when a problem is noted, especially when it involves your SSL library.