It can come up as "I did not expect _arbitrary_ code execution/overwrite, especially not as root."

e.g. in an installer:

  1. Download package
  2. Maybe 'prepare' as the user – this could be _entirely_ caller-driven (i.e. you didn't run any code, you just provided materials for the installer to unpack/place/prepare), or it could include some light/very restricted code execution
  3. Perform 'just one operation' such as 'copying things into place' (potentially with escalation/root)
  4. In step 3, the preparation from 2 resulted in the placement of something in binary position (that then runs), and/or overwriting of important files (if something placed in step 2 was used as a target)