When you use an application's internal security system, you must rely on their code for whatever security it has, or does not have.
Here's an example, just posted here in the News section today. Bugs that impact integrity and security or that provide for additional access vectors are always possible. With OpenBSD's FFS, at least the access controls are audited.
http://www.daemonforums.org/showthread.php?t=6652