If an attacker successfully compromises my workstation and can masquerade as me, and the most useful thing they can think of doing is to pivot and rewrite my SELinux rules as opposed to, grab my password database (or just keylog my banking sessions), then I will be a very happy man.
I think mobile actually leads the way in this area, with applications restricted in actions they can take, regardless of who they're running.
My point was - before they can read the password database (or even find that a password database exists), they need to break out of selinux enforced rules. It's not an end goal - it should be a prerequisite for any further data collection.
Key logging should not be possible in an exploited application either. Actually if you've got some healthy paranoia, you're maybe running QubesOS and your banking doesn't touch any other work environments.
Of course this is tricky in case of browsers. But that's also why I don't keep my password in the browser ;)
I think mobile actually leads the way in this area, with applications restricted in actions they can take, regardless of who they're running.