The Smart Client Developer Center on MSDN is running an overview of ClickOnce and comparing it to MSI.  One of the areas where ClickOnce comes out on top is security sandboxing (or permission elevation, depending on how you look at it).  Looking closely at the manifests presented in the article you can also see XML DSig at work too :-)  ... it's been a long time since I've been able to check the ClickOnce category ...