I stand corrected, as it appears I was way too naive in my understanding of software security, hence the example I provided.
IMHO the whole discussion is moot.
Any Windows app can easilly bypass *any* security measure in Wine by calling int 0x80, and there's nothing we can do against that other than running the .exe code in a real virtual machine(which would break the whole "Wine is not an emulator" thing).
And as Marcus pointed out, as soon as it is running it can already do everything the Linux permission allow. It doesn't have to use broken API calls to do bad things.
A point where we have to take a look at security concerns is when we get data from the application that is potentially from somewhere outside the app. E.g. Half Life 2 loads MOTDs from servers which are HTML pages and passes them to our HTML control. Or MS Paint opens a jpeg file and uses Win32 API functions to parse it.
Protecting Wine against the application won't work. Protecting Wine(and the application) against the application's data is what we have to do.