OK, I think it's time to take a step back.

If we are to have a security policy, I think we first need a threat 
model.  Without it, we can't really argue about what we're trying to 
protect against.

So the attached is my initial stab at trying to write down a threat 
model.  Some of this is subjective, but I'm trying to be reasonably 
realistic.  Most of these threats are really quite low in comparison to 
other tools and services that run on your computer.

In practice, you then take the model and the impact/likelihood matrix 
and decide what level of actions are needed for each combination - 
whether it be from pre-emptive auditing through fixing bugs if found 
down to do nothing.   But that's the step after we have the model agreed.

If you can think of threats I've missed (quite likely, I haven't thought 
about this for long enough), then please suggest additions.

R.