Ad 1+3: Only if ML ran as an application. There are other ways. What about replacing the keyboard driver with a custom version?
Ad 2: With admin rights, there are ways around these, too. Note that latest worms (e.g. "Goner") try to disable personal firewalls and virus scanners.
As to whether Linux or Mac (or BeOS or FooOS?) users are at less risk: Obscurity of an operating system, hardware platform, or mail program may save you, but MacOS is not nearly scarce enough that the FBI won't bother to write a version for it.
As with all viruses/worms/security threats good practices may prevent problems. Linux was one of the first "home" OSs encouraging the use of a not-all-powerful account for things like reading mail — but newer Windowsii and MacOS X followed suit. Compromising an account and trojanising at least some of the tasks done from an account is certainly possible; but without admin rights modifications can be much less stealthy.
The lack of all-out virus vectors on Unix has also done its bit. --Robbe