You said under "The Competition" the following:
"The strength of FileVault lies in the fact that it is fully integrated into Mac OS X, at the lowest level: the operating system itself takes care of performing the tasks on the fly, without relying upon add-ons."
You go on to say under "Threats Against Which FileVault Cannot Protect You,"
"However, it is important to keep in mind that, as soon as you log in, Mac OS X decrypts the data so that you and your applications can access it. Therefore, once you are logged in, a hacker or a virus can steal information as easily as when it is not encrypted."
This is almost a direct contradiction. If the encryption/decryption is done on the fly the data sits there in its encrypted form and when a user opens it, the data is decrypted. However, your second statement makes it seem like the entire image is decrypted and then mounted. This means when a user opens a file for editing, he's editing a plaintext file which will be decrypted and added to the image when he logs out (thus not being on the fly). So, which is it?
I have been looking extensively through the MAC OS X kernel and I have not found anything about FileVault in the kernel. I also looked on a MAC which wasn't using filevault to see if any new modules had been loaded and none had. Also, I cannot find any mention of FileVault in the modules that are loaded.
I suspect FileVault exists entirely in user space. This means it decrypts the image, mounts it as usually you would, and then waits. When the user logs out, the image is subsequently unmounted and repackaged (re-encrypted). I'd appreciate any clarifications/contradictions you guys might have.