I'm getting tired of new-and-different sendmail holes arriving every so
often.

How difficult would it be to make sendmail run as an unprivileged user?
Give it rights to deliver mail locally (through a privileged delivery
agent which can be many fewer lines of code and easier to audit), throw
it in a chroot-ed environment, and don't let it out of its cage.

That should reduce the potential exposure to just destroying/stealing
local mailboxes.  Can folks live without .forward files piping mail to
an agent and/or other random-execution paths?

==John