They're all fundamentally insecure, because they are designed around the notion that we trust certain users and not others, instead of the notion that we trust certain code and not other code, depening on what it wants to do.