The application that does the code injection does not ever need to show a UAC prompt. It does not need to be installed, nor does it need to be elevated to run the code injection.
Furthermore, this risk is increased even more if you take into account remote code vulnerabilities in other unelevated applications. (Not low-privileged applications like IE though)
I've got the picture now. The application does not need to be installed. So indeed this is pretty insafe. They should just change the default to "Always Notify" again, and warn people lowering the slider. It's a simple sollution for Windows 7 RTM and maybe
they can fix the architecture for SP1 or Windows 8.