The point is that if a user executes a malicious file, that file runs with the user’s permissions. It can only change things the user has permission to change.
But… If Syncthing is running as a local admin, and doesn’t have a GUI password set up, any process can talk to Syncthing. Even the most unprivileged process can open a connection on port 8080 and talk to its REST API. It can ask Syncthing to set up a folder anywhere (since Syncthing, running as local admin, has permission to do anything), and it can then ask Syncthing - very nicely, and without needing to overflow any buffers - to read or write any file in that folder.
There are several lines of defence against malware. The first line is the user - trusting your user not to download/run a file which looks legit but isn’t. Users, in general, are notoriously bad at doing this, especially the less computer literate. Browser vulnerabilities also let malicious people run processes on your computer without your consent.
We try and teach our users to behave here, but we don’t trust them to.
The next line of defence is user permissions. Since Vista, user accounts of been fairly unprivileged by default, with a UAC prompt required to elevate those permissions (Linux has taken this approach since the dawn of time). If I can get malware onto someone’s computer - and this happens all the time, you can’t argue that it isn’t a risk - then I can only run processes with the same privileges as that user. I can delete their files (cryptolocker), I can show adware all the time, but I can’t install a keylogger, disable the antivirus, make modifications to existing programs, or alter windows. Well, I can try, but they’ll get that pesky UAC prompt and know something’s up.
… or not. If I have a look around and see that Syncthing is running as a local admin, and without a GUI password, then, as disucussed, I can modify any file I like, anywhere I like. It doesn’t take a big imagination to figure out how I can use that to get a process running with local admin privileges.
At this point you’ve lost. I’ve got full admin control of your computer. I’ve disabled your anti-virus, and installed that keylogger. I’ve got your bank details.
If you’re trying to argue that you should give all of your users local admin privileges, there are plenty of articles out there explaining why this is a Very Bad Idea. Letting Syncthing run as a local admin, without a GUI password, is tantamount to the same.