So what “unpriviledged user” can run an MSI?

In my world (the business world), by definition unpriviledged means can’t install apps. That’s kind of the first level of unpriviledged, with things like change start menu way farther down the tree. I’ve never worked anywhere that’s allowed end users to even kick off an install of anything - at most we use some automation that responds to a user launching an app shortcut (using an app and system management tool that has its own service, something the user can’t even interact with because the install happens silently with zero dialogs. Such dialogs are really bad practice).

It’s not an immutable OS, an app installer can be malicious, of course, like any OS.

Also this:

This attack does not work using a recent version of the Edge browser or Internet Explorer. Also make sure that Edge or IE have not been set as default browser for the system user and that Firefox or Chrome are not running before attempting to exploit it." Secondly, not all .msi files are exploitable.

So it’s a tempest in a tea pot, especially considering it takes a malicious actor at the computer to click on a command prompt window at just the right time (or remoted in, though since timing is crucial, it probably isn’t likely). You can create a script to do it, but even that is problematic, and not all MSI files aren’t susceptible to this (even says so in the article).

So like so much else, it requires just the right circumstance, with just the right MSI, just the right default browser, just the right user permissions, and just the right malicious actor in front of the machine, with just the right knowledge.