Just to clarify, there's no period of time (e.g., an "hour") that will ensure that a transaction has confirmed. So this idea of requiring that an hour doesn't guarantee anything.
Also, it appears you are placing significance on this concept of an address having "low activity'. Bitcoin does not use the concept of "balances". Bitcoin transactions instead consist of inputs and outputs. Once an output is spent, there is no further activity for that output, ever.
But you are right to express a concern. Consider the following scenario:
Let's say SatoshiDICE made payouts using other people's wagers that hadn't yet confirmed. And then a consumer uses the funds from that SatoshiDICE payout to make a payment at a merchant. Then let's say those transactions never confirm and somehow further back a double spend occurred and invalidated the wager to SatoshiDICE. What ended up happening then is that the consumer made a payment to a merchant that will never confirm.
But that is easy to identify. The merchant needs to do more than just check that the transaction was received but also check that the input(s) for that transaction had at least one confirmation (or perhaps more confirmations, depending on the amount of the transaction / level of risk tolerance).
In the example above, the customer might have been trustworthy but probably would have been at the time unaware that the funds being used to pay the merchant hadn't been already confirmed. So in that instance, even though the consumer had no intention to double spend that is indeed what could occur if the consumer too ended up receiving a transaction that eventually became a double spend.
So the litmus test on accepting 0/unconfirmed as payment might need to also include another check to ensure that all inputs for the payment had confirmations. If that fails, then there is an increase in the risk of that transaction never confirming and the merchant would want to proceed in an appropriate manner.
These type of scenarios will rarely occur accidentally, so simply the prevention could be to ensure that there is no economic gain from attempting them. A restaurant for instance will make more in profit from repeated failed double spend attempts than it would lose from the occasional one that does occur, for instance.
But a merchant will probably want to use a payment processor that can perform the risk analysis (e.g., to know that if the payment to the merchant came from a SatoshiDICE payout that also hadn't confirmed that it then is a higher-risk payment.)