Good questions needless to say ...
Blink's strong points of defense would be if the passing of data was taking place through IE (via HTTP or HTTPS). Blink's IE plugin allows it to scan SSL traffic going through Internet Explorer only. I use to use Firefox (until eEye told me about the Plugin in Blink that was for IE) but now I don't anymore. Now, I have properly set up Internet Explorer's security zones (which addresses most all of the common IE security issues) and everything works fine now. If you want the most out of Blink's protection, using Internet Explorer is the only way. Limiting programs or applications to only being able to connect to the internet (through IE or the settings it uses to connect) would be the best first step for course of action. Ultimately of you set up Blink to only allow inbound and outbound what you want (utilizing both the System and Application firewalls properly), all of this nightmare can be contained for the most part.
This is why I really love Blink Professional. You can lock your systems down, allow only what you want in and out of each system (anything else is denied with two little settings changes). Next you place Blink Professional into "hidden" mode. At this point, unless your the Administrator, any users of the system will never know Blink it is there (it will not be displayed in the task bar or in the Add/Remove programs section of Windows at this point).
Finally, a note to consider is, any system that people want to use this on will be required to have the Live Mesh software installed on it. So if you don't want this on your network, don't allow people the rights to install software on your systems.
eEye, what is your input on this??