Also, here's my plans (so far), let me know if you think this sounds reasonable.
First, I'm going to change the optipng level to a drop-down list, so users can't type in arbitrary values or add in extra commands.
Second, the plugin will check the paths entered by the user for the various utilities (as much as we can) to try and ensure they aren't using the fields to execute arbitrary commands, and can't include additional arguments.
Lastly, I'm thinking about restricting where the can install the utilities. Specifically, I will have the plugin check to see if the binaries are within the web accessible folder, and throw an error if they are. Not sure on this one exactly, but I think it's generally recommended to have executables that php is running outside of the web folder. The idea is that if someone manages to hack your site and upload a file to your web folder, they can't use the plugin to execute it.
Let me know if you can think of additional precautions, or if you find other resources on what to be careful of when using exec().