If you dupe someone's Dropbox host ID, they'll only see the one entry on their page, so it's quite likely they would not be aware that they've been "duped".
To dupe the key they would need access to your system, though. At which point they would also have access to all your files anyway.
Now, if you fix your system to no longer be vulnerable the duped key will allow them to keep snooping your files, but personally I think this risk is marginal.
There is a difference between someone stealing a snapshot of your data, and someone gaining permanent, undetectable access to your data.
It's also about attack scenarios;
With an USB stick crafted for this purpose I could steal your credentials in under 10 seconds, while you're on the toilet and forgot to enable your screensaver. Locating and downloading the actual data would take much longer, planting a trojan for later would be much more difficult and unreliable.
Whether or not the risk is marginal depends on the circumstances of the user. I there's probably a time and an place for this security model, though I don't see myself using it.
I see two key questions:
* Has the security model has been properly implemented?
* Have its properties have been communicated to the users of the system in a clear enough way that people can evaluate how the risks apply to them?
I don't know about the first question, but on the second they could certainly stand some improvement.
