We've also built a partially offline application and we went with the seperated domain model approach (Although we connected the offline entities to the 'main' entities). Mostly because of the reasons you're also mentioning in your post. In my opinion: the quality and security advantages of this option greatly outweigh the increased development effort.
Another advantage you gain this way is that, in quite some offline usage cases, you may only want to have a subset of the data that the online application has to offer. With a seperate domain model you can enable this.
Besides this, some 'domain model features' (If I may call them that way) simply aren't available in offline apps. For instance: calculated attributes, autonumbers and default values. Inheritence is also a case to be carefull with when making offline apps. This could be another reason to use seperate domain models as you may want to use these ones in your online application.