[angry_octet]

Unix permissons by themselves are notoriously not capable of containing and restricting something malicious. The kernel exposes a huge attack surface. That is why it is beter to use VMs, which expose the much smaller hypervisor and provide only simple interface protocols.

[rahrahrah]

If the "something malicious" is run by a user that only has permissions to read/write to his home, it's perfectly contained.

[angry_octet]

Unfortunately not true. By default programs will also have permission to do things like mmap, open network sockets, use IPC, learn about other processes and the kernel via proc (helping to defeat randomised protection against stack overflow) and many other areas. Google for kernel hardening and PaX.