There’s a universal truism in computer security that we’re periodically reminded of by news of breaches or new vulnerabilities: if someone has physical access to your system (or you give them access by way of a remote access tool), the system is no longer yours. They can do with your system and its data whatever they like. There are many ways they can do things like read your data or gain root access, even if you are running from a less privileged user account. We see trojans do it all the time.
A long-standing, known vulnerability in a component that OS X shares with Linux distributions was recently given a CVE and fixed, but only for Linux versions. The short of it is, if someone has physical access (or access by remote control) to your machine, they can gain root permission by fiddling with your clock. And as we should all know by now, if someone has physical access to your machine, they now own it and all your data on it. This is true whether it’s your machine or it’s a public machine like at a library or at school. Don’t put any data on these public machines that you wouldn’t post in clear text on your Facebook page, because it’s there for anyone to do whatever they wish with it. And be sure to run security software to help keep your machine from being “owned” by remote access trojans.