That's true, and that's a concern for people who are expecting Parallels to provide protection from Windows malware. However the visibility of /tmp and /var/tmp shouldn't be that great a problem, since they're not in your path and software is already supposed to treat them as "untrusted". I would hope I could trust Parallels as much as I would trust any other unprivileged application for which I don't have source.  Yes, I know a lot of recent software assumes that it's running single user, but Mac software tends to use ~/Library/Caches and traditional UNIX software grew up in a more hostile environment. When I was at college we had thousands of undergrads sharing the same PDP-11/70s using BSD and there were surprisingly few interesting incidents... though I happened to cause one myself when I discovered that one version of "write" was setuid root and didn't drop permissions when forking a shell. Oops.  Which is probably not as far as most people.