Why is it considered safe to install something as a non-root user in Linux environments?
We always hear...
Do we? I don't.
Installing some untrusted program as a normal user is a bad idea with Linux the same it is with Windows or Mac: this program has access to all your data and can delete these data, send these data to somebody else etc. Moreover it can make screenshots, control other applications running on the same X windows screen (even if they run as a different user), can grab keys (i.e. keylogger),... For details see The Linux Security Circus: On GUI isolation.
Apart from that we regularly have privilege escalation bugs even in Linux bugs which can be used by an unprivileged user to get root or even kernel level permissions.
Thus don't install any untrusted programs on any kind of system unless you are willing to compromise this system or the data stored on it.
In short: yes, being on a low-privilege account helps protect you against malware, but does not make you immune. Like any security measure, no single thing is going to keep you 100% safe.
TL;DR: Running on a low-privilege account (aka "principle of least privilege") should be part of a balanced breakfast which also includes good firewall configurations; tools to monitor processes, system resources, open ports, network traffic, etc for suspicious activity; a policy to only run signed executables, configuration of the SELinux secure kernel mod, keeping the OS and application up to date with security patches, and other things.
Your question is very broad to answer directly. Instead I'll break it into several cases based on the configuration of the system, and what the attacker is after:
Case #1: Personal computer
Let's say the linux computer in question is my personal laptop. I effectively use this as a single-user system and I type sudo
pretty regularly - so all of the things you mentioned apply. Moreover, if the attacker is trying to steal my personal information like credit card numbers, tax documents, etc, that's all sitting in my home directory where this user has access to it. If it's ransomware and wants to encrypt my personal files - same thing. They want to install a background process to make my computer part of a botnet, that doesn't need any special permissions.
Case #2: Server, admin account
The damage of getting malware onto an admin's account is less than the end-user case above since the admin account probably has no valuable data in it. but even so, an attacker can probably do some damage by having a packet sniffer inside the network, or by opening a port that allows the attacker to do pen testing from inside the network. Here you would rely on your firewall configuration to protect you against some of this and hopefully notify you to the suspicious activity so you can clean it up.
If the admin types sudo
on a regular basis, then yeah, you're probably in trouble.
Case #3: Server, non-admin account
Imagine the use in question is tomcat
- a very low-privilege user that runs the web server applications. This is the case people usually think of when talking about "principle of least privilege", and getting malware onto this account will be the least dangerous of the three case I've mentioned.
Also consider that Privilege Escalation exploits exist for linux that would allow a low-privilege user to bypass the OS security and turn themself into root. Generally speaking, keeping up to date with security patches protects you against this, but actors wealthy enough to purchase exploits on the black market will know about zero-day exploits that are not publicly known, and have not been patched.
This is a horrible case of Security Theater
Security Theater is the practice or belief of something that looks like it improves security, but in reality does little/harm to it.
This false belief has been around as long as the following rumor
Linux has no viruses because of it's permission system
That's almost as good as saying
I don't have a virus on my computer because I don't see anything flashing
Just because you don't see it, doesn't mean it's true. Closing your eyes doesn't protect you from the intruder.
In all reality Linux, Mac OS, Windows, Android, Xbox, everything has vulnerabilities that would allow escalation to a system level of control.
HOWEVER just because the attack doesn't escalate itself to system level doesn't mean it isn't EXTREMELY dangerous. These applications with just user level access can still steal your information, record your every move, and hold your data for ransom! All without EVER being escalated because this is the data it has access to as just your user.
These facts are true of ANY OS regardless of the device. If you have access to the memory, it has access to the memory. That means even if you can't see it, it still has access to it.
The Good News
Because you are a regular user it means the attack isn't already at root level privileges, which means the access it has it limited to the users access, and helps protect other users on the system. Of course this doesn't mean that escalation can't happen, it just means it's much harder.