We've asked Apple for comment on the apparent bug and will let you know if it can provide a response, although we've learned that this shouldn't expose users and that it should be fixed with the upcoming macOS 10.13.3 update (the fix is already present in the beta).

It's not going to be a serious issue when an intruder needs admin-level access, but it could be a concern if an attacker already has those privileges. They could loosen your password restrictions for downloads (say, to go on a shopping spree without your consent) or force automatic updates if they know a newer app or OS release is vulnerable. And of course, this illustrates that the company still has avoidable security hiccups to address.