single user mode spawns a root shell, it doesn't invoke a login process
even IF the single user boot prompted for a login nothing other then a grub password would stop someone from say adding
and then re-mounting / as rw instead of single and achieving essentially the same effect.
or booting from a live cd, chroot the live install, change root password, and/or grub password
in short, no matter what, physical access trumps any extra layers of security that may be in place