Thats why on Linux you need to run the sudo command and type the root password (or user password) to install something. I get this isn't Linux but its a serious security vulnerability that someone could run a super user level command by clicking yes on a confirmation box that pops up so often that nobody thinks twice.
The goal is not always to "take control" of the whole system. A cryptolocker that makes all your files unreadable will happily run in user space.
Also, you're forgetting that windows also have UAC, and that people will happily type the admin password of their device when asked to, because they've been conditioned to not care by badly made stuff.
And, while win+r is unlikely to work in most Linux DE I know about, triggering a visual prompt that ask for your password is also a thing.
There is not much difference between common Linux distro and windows as far as seizing user files with malware is concerned, aside from the fact that no website will care to try telling you "press alt+space" instead of "win+r".
The only issue I see with targeting Linux is the sheer variety of Desktop setups. Finding one keyboard shortcut and payload that will work on even just the majority of distros would be a challenge.
Its a lot harder and can do significantly less damage if it doesnt have root privileges, its like how putting a lock on the door to your house wont stop thieves but its better then not having one.
Or, session cookies. They don't need special privilege to access, and if you grab all of someone's cookies, you can probably get some valid session cookies for logged in accounts just by checking for some common domains in one/by keyword.
From there, it would be trivial to get into email, social media, and other accounts to do other things with.
The behavior is configurable just like it is on linux, UAC can be set to require a password every time.
But I think its not set this way by default because many users don't remember their passwords, lol. You think I'm kidding, you should meet my family...
Also, scripts can do plenty without elevation, on linux or Windows.