My answer to this vulnerability is to not allow the admin to change the context_id. In the interest of simplicity there should only be one site hierarchy used both for permissions and for navigation. If the admin needs deviating permissions for an object he can set security_inherit_p to 'f' and grant any permissions he pleases. The group and privilege hierarchies already offer plenty of power and flexibility in granting permissions.
