compinit trusts .zcompdump even when it's owned by a different user?

[Nick Irvine <nfirvine@xxxxxxxxxxxx>]

This may be a bug or misfeature in zsh, but I don't know it that well and I
may be misunderstanding.

compinit (the function that initializes completions) runs compaudit to
enforce a security model whereby it will only load completion functions
from directories in your $fpath that are considered "secure" (owned by root
or me, not world-writable, etc.). It will warn the user about insecure
paths and prompt to either skip them or abort. That's all well and good.

It creates a cache of the results at ~/.zcompdump. AFAICT, it is only
invalidated (i.e., deleted)*manually*.

I'm not entirely clear what's in the cache, so I can't say if this is
really a big security issue. But, at the very least, compinit will consider
the cache valid even if it's owned by a different user, thereby avoiding
loading completion functions that *are* valid for the current user but
*weren't* for the previous one.

This is happening to me every time I use sudo -s where my zsh installation
is owned by me (OS X homebrew). It writes an incomplete completion cache.
Then next shell I start, it loads the busted cache and doesn't see any
completions.

Is this my problem? ZSH's? Homebrew's?

(This is a cross-post from Stack Overflow.)