You are right and wrong.
Seems like you don't know yes that there is an option for custom JSON to require either either the posting key or the active key for signature. Most custom JSONs on HE that move money around require active key authority. I've actually tested this functionality myself with the API.
Yeah but I think it's because it is a hierarchical structure. Active key has all permissions except for owner permissions.
So in my mind the posting key is just a limited scope of active. If it is entirely separate there's nothing to worry about, maybe.
Also, would the "depth" parameter not apply to active? Either way there's a whole lot of trust given there.
The thing being worried about is devs creating tokens and allowing them to be transferred with posting key authority using custom JSONs.