You're technically correct - it's all a matter of degrees of certainty. That does however not invalidate any of the points made in the article.
If that native C application runs on a server that is fully under your control you stand a far, far better chance then when that native C application (say a web browser) runs on some computer not under your control. Especially if that native C application is explicitly written to accept run-time addition of random third-party code (aka browser extensions).
