Putting the users home in first section in the $PATH is insecure, it should be at the last section of the path.
An attacker that gets access to the user account can create a script named sudo on .cargo/bin, when the real user types sudo an put his password the script send the password to the attacker or setuid a shell creating a backdoor. Basically all the binaries can be hijacked.
If you are concerned about such things, which is completely legitimate, you should build Rust projects as a dedicated unpriveleged user and/or in a sandbox, etc. The typical Rust build downloads dependencies from the internet and complies them, which includes running any build.rs files they have -- i.e. running arbitrary programs.
(Not saying your suggestion shouldn't be followed too.)
.cargo$ cat env
#!/bin/sh
# rustup shell setup
# affix colons on either side of $PATH to simplify matching
case ":${PATH}:" in
*:"$HOME/.cargo/bin":*)
;;
*)
# Prepending path in case a system-installed rustc needs to be overridden
export PATH="$HOME/.cargo/bin:$PATH"
;;
esac
Rustup currently puts it first, thus overriding it. @kpreid talked about what would happen if rustup was changed to put it last. In that case it won't override the system installation anymore.