In this case, its only the updater that runs privileged (which last time I checked was a separate application). The only way you should be able to 'compromise' it would be too man in the middle, and pretend to be Mozilla servers. Even then, if it used SSL (I'm not sure it does), and had an embedded certificate, then it should be fine.
Yes, the Firefox updater uses SSL and other mechanisms to prevent man-in-the-middle attacks. The update payload itself is signed with a private key controlled directly by Mozilla, to avoid vulnerability to CA compromises [1]. The connection to the update server uses SSL and performs additional checks to ensure not only that the SSL certificate is valid, but that it matches one of a small list of known certs or issuers, so a bad CA can't issue a forged certificate [2][3].
