Update after discussion with bmike (see below)
During an actual Time Machine Backup, backupd mounts two shares. /Volumes/Whatever and /Volumes/Time Machine Backups. While the former cannot be access by a non-root user, the latter can. It is indeed possible to clear ACLs of files and overwrite them subsequently. So the security issue is wide open.
Original answer
Thinking a little more about the underlying mounting system, I came to the view that my original question contained a misguided assumption, the removal of which perhaps makes the question obsolete. I decided to write an answer instead of removing the question for the benefit of the equally misguided.
When I checked the permissions of my sparsebundle files, I manually mounted the Time Capsule disk. Because I mounted the disk as a normal user, this user became the owner of the mount-point (checking in the terminal, I can see that my useraccount is the owner of the mount-point, "staff" being the group).
Now my assumption (which was not transparent to me) was that if Time Machine mounts the disk during a backup session, it would be present in the system just as if I mounted it manually. But this is wrong. For since backupd runs as root, the mount-point belongs to root (checking in the terminal, the owner is "root", the group is "wheel", group and world having no rights.) and thus a process belonging to a normal user would not be able to encrypt files on a Time Machine Disk mounted by backupd.
Thus, in a Time Capsule setup there does not seem to be, for the moment, a danger of a ransomware to encrypt the backup. However, it might be different with a locally connected external harddrive. I vaguely remember that when I still used an external harddrive, I could see the Time Machine partition as mounted in Finder (something I do not now) and thus it might be mounted with user rights. I cannot test this, as I don't have an external time machine harddrive, but maybe someone else can say something about this.
Best Answer
Get Info on said drive and checking Ignore Ownership might help you.