Is it? There is such a thung as GUI automation. It's not a very popular exploit vector because it is visible, and because there are simpler non-GUI exploit vectors available. But nothing fundamentally stops an attacker process from pretending it's accessibility software and taking control of the mouse to do a drag-n-drop.
That should be a privileged status. If you manage to trick the user into installing malicious software followed by granting it elevated privileges then you likely didn't need such a roundabout method in the first place.
