By which I mean something similar to Joomla's ftp layer, which the admin can optionally enable, with configurable credentials. If enabled, the J! file API then drives an ftp session to localhost rather than using native PHP file system calls.
This would enable sites to remove the requirement for the web server to have write access on the XF web content, for any code that uses the file helper. In J!, this includes the auto-updater and installer.
In XF, I'm thinking specifically of addons like the advanced installer, where people are advised just to give their web server write access to XF. Which to me just sounds like a security disaster waiting to happen. Giving the web server write access to PHP files it can then execute is not a Good Thing <tm>. It feels like I'm back in vB land, with "make sure the following folders are set to 777 ..."