> any exploit in a normal user program can be used to get the hash for
> offline attacks

Yes, I was aware of this. It is as easy as calling getent(1).
But an implementation of a similar mechanism at PAM level
would have the problem that the plaintext password needs
to be passed to the suid helper.
And an exploit in a user program can as well do some
syscall tracing against the unprivileged client program.

best regards
Matthias