I was scrolling through a Google Research paper related to privileges separation and I felt lost while reading this :

In Unix, every process runs within its own protection domain, i.e., the operating system protects the address space of a process from manipulation and control by unrelated users. Using this feature, we accomplish privilege separation by spawning unprivileged children from a privileged parent. To execute privileged operations, an unprivileged child asks its privileged parent to execute the operation on behalf of the child. An adversary who gains control over the child is confined in its protection domain and does not gain control over the parent.

I can't figure out how this can be possible. If instructions are performed by the parent on behalf of the concerned child, why can't an attacker gaining access to the child process manipulate the parent process to execute privileged instructions, still on behalf of the child process ?