Software that can do this could also just wait for you to run a sudo command and then install a rootkit before the timeout is reached. Or it could keylog your password.

On desktop machines getting root is almost useless, you have all the sensitive information on the user account. Unless the attacker wants to install a rootkit in the kernel or open raw sockets or stuff like that. But if they can run arbitrary code with your UID you've probably already lost anyway.

I suppose that's true, but ideally there should be no situation in which you give a program or script access to a terminal with sudo's timeout unreached. Compromising information not stored on the machine should ideally require root.