Current WP referer check + KSES

IMGs in comments allow for arbitrary SRC attributes

NO: KSES filters out all IMGs from comments by users without unfiltered_html

Links from preview IFRAME allow comments/drafts from untrusted parties to pass check_admin_referer()

NO: IFRAMEs send REFERER based on SRC attribute

SESSIONS v. COOKIES, POST v. GET in the context of packet sniffing

N/A: They're all up for grabs unless you're doing stuff over SSL

In the context of log files

Sure: WP cannot secure your log files. You have a bad host if your log files are readable by untrusted parties. That said, it's a valid point; why not trust the competency of your host as little as possible?

REFERERs can be spoofed

NO: This can only happen with script injection: Enter KSES.

wp-admin/edit-comments.php and wp-admin/moderation.php are dangerous since they'll send a REFERER which will pass check_admin_referer()

YES: KSES strips out SCRIPTs, IMGs and so forth so that visiting these pages won't automatically cause any damaging GETs, but KSES doesn't filter links; with manual intervantion on your part you can trip a nasty GET by clicking on a malicious link. Solution: filter all links in comments to look like "google [http://www.google.com]" instead of "<a href='http://www.google.com'>google</a>" (i.e., make them unclickable) on these pages. That and POSTification.

Viewing drafts from untrusted users can automatically trip nasty GETs

In some cases. The preview IFRAME can't hurt you as above. If you're using the oldskool HTML editor, your're safe. If you're using the WYSIWYG editor, IMGs are loaded automatically. Solution: don't set up your blog such that untrusted people can submit drafts, and/or require those users with admin privelages to use the oldskool editor. Don't you want to review the raw HTML of contributors anyway (links to goatse etc.)? A partial code-based solution might involve something like that proposed above.