Ah.  It follows then that _every_ binary and script run in single user mode
   must be immutable, or there's little point to having securelevel 1.

That's correct.  Although I suspect we don't want to make it the
default, someone should identify all of the naughty bits and create
some convenient way for a user to configure their box to be `secure'
if they so desire.