You explained it in a way for everyone to understand! Just checking out this thread and waiting for something productive to come from it. I think everyone is looking for usb hdd support in the future.
I love how over complicated everyone makes it when trying to explain iosu exploits.
Here, it's as simple as this:
1 Find 2 locations that can see each other (be shared) or the same location that can be read/called from iosu and also able to write files to from a different location such as userland using kexploit. (Remember kexploit has the same access to everything iosu does, just not the same authority.
2 write application to shared location and call it from iosu using elf.
e.g. If someone was to rewrite the homebrew channel, with built in kexploit, and also as an installable channel. It gets dumped in location 1 available to userland and called from location 2 that actually points to the same location but called using iosu that actually has the authority to install it.
Simples..... just nobody can be bothered with that particular task at the moment.
Don't believe me, ask your favourite Dev. ...