The problem is not trusting the application, but that application having to manage untrusted data. Let’s say you have a trusted open source pdf reader. It can easily be infected by a pdf that exploits a memory bug in it.