let me get this straight: You are worried that an user who has the credentials of an admin-user, could expose data of other users on the same pc? Hmm, I *think* that user can do that anyway.
I think it's more dangerous to start a newly installed application as an admin user. Why?
The standard-user thinks he has not the right or power to do any real damage to the OS. But the first "playing around" with a new application could possibly kill of the OS or can do real damage because it's the enviroment of an admin-user.
From this point of view, the UAC is not much more than a nicer "run as ..." feature. Why can't the "UAC-Service" sense the end of an installation and the first start of the application?