The risk profile I care about is:
User's computer is completely compromised by a root-kit trojan, but they don't know it.
However, the user has access to some other device or service that they have setup in advance to be a "second line of defense" to prevent their entire wallet from being stolen.
Me too, and this is a likely attack in my opinion.
To protect against this attack one needs the keys to be in a crypto processor of some sort, and the ability to do some flavor of trusted pin presentment.
Though this would mitigate the risks significantly we would also want to have a recovery story in the event of token loss and theft.