I'll admit I'm biased because I've been working with it for years now, but Apple's Logic has one of the best MIDI editing interfaces going. If the Pro version is a little too much for you to stomach there's an "Express" version that's pared down when it comes to plugins and samples, but has the same excellent MIDI editor.
On the cheap-but-effective side you've got Reaper which will run on OS X and includes MIDI editing facilities. You can try it out for free and it's $40 (at the time of writing) to buy it if you like it. Hard to beat that deal.
And then in between these two running the gamut of price and features you've got a whole slew of other options: Cubase, Sonar, Abelton, etc. Each of them offering slightly (or not so slightly) different interfaces and feature sets.
The App can have read/write access to a location if it gets your permission using an entitlement as part of the App Sandbox, in other words this is how its suppose to work. The App is code-signed and trusted, its asking your permission, in theory all should be good.
As noted in the Mac Technology overview:
App Sandbox
Introduced in OS X v10.7, App Sandbox provides a last line of defense against stolen, corrupted, or deleted user data if malicious code exploits your app. App Sandbox also minimizes the damage from coding errors. Its strategy is twofold:
App Sandbox enables you to describe how your app interacts with the system. The system then grants your app only the access it needs to get its job done, and no more.
App Sandbox allows the user to transparently grant your app additional access by using Open and Save dialogs, drag and drop, and other familiar user interactions.
Specifically a developer can implement the following entitlement as noted here in Enabling App Sandbox, this is exactly what you described in your question, so this is probably the entitlement that the A/V program developer had utilized to obtain just read and write access.
com.apple.security.files.user-selected.read-write
Read/write access to files the user has selected using an Open or Save dialog
Note that this is not the same as true administrator user, since the program would not be granted the execute privilege.
Best Answer
Please choose A or B, not both.
Are we talking invasive virus software, like the stuff that came on Sony CDs?
Either a carefully-configured virtual machine, like VMware Fusion, or an isolated physical machine. By "isolated" I mean not used for anything else and not connected to any network. Make a fresh install of the OS, do what you need, but then never use the machine for anything else. I would assume that "really malicious" software would modify the recovery partition, bootloader, and even the firmware.