Interestingly, I couldn't find a duplicated of this, although there were a few claiming that explicitly using RunAs would fail.

UAC isn't a security boundary, and presumably all of the Renderer processes still successfully drop privilege all the way down to Low, so I'd imagine that the impact here is Defense-in-Depth at best.

wfh@ is probably the best to triage this.

Actually, even if the renderers are Low, there is a more serious case:
Take the 3 steps above (your chrome browser is high priviledged).
4- Any executable, or even file opened through the Download Manager (Ctrl-J) is spawned too as High. I just tried by "downloading" a copy of cmd.exe from C:\Windows\System32 and opened it directly from the "Downloads". 
I also tried using some Extension (Chrono Download Manager): in both cases, the cmd.exe process is Run as Administrator.

That would also mean that the extensions are also high privileged. 

> That would also mean that the extensions
> are also high privileged

Not really, no. It means that the browser process is running at Admin and thus so are the things it launches if the Extension has permission to ask it to launch things. 

Yes, inheritance of Integrity Levels is how Windows is designed to behave. 

The fact that files downloaded through the browser can be run as admin (even by mistake) is IMHO a good-enough reason to always drop the browser privileges.
That's at least what Opera and Edge are doing. And of course, there is also defense in depth, but I think the previous reason is a lot more valid.

 crbug.com/507369  mentions: "In general, we've discussed giving the browser process the power to see that it has been launched at high integrity and automagically dropping to medium, but I'm not sure if this would break certain users' expectations. It seems like a bad idea to intentionally run your browser at high integrity, but maybe someone is doing it."

It's a fair point that some users may be doing this on purpose, but it's also true that we don't really provide an easy way for a user to recognize that Chrome is in this configuration which leads to downstream effects like that noted in Comment #4.

In terms of cross-browser behavior, Opera and Edge run at MediumIL, while Chrome, Firefox and Brave run the Browser Process at HighIL with LowIL renderers, and IE runs at HighIL *and* runs its tab processes at HighIL.

+pennymac for additional Windows knowledge

This is certainly not a security bug, and I'm not even sure we should be doing anything about this - how users choose to run their Chrome is up to them and we should not stop them from running as Admin.

I will admit that, perhaps, we should notify users that Chrome is running as Admin since this is a less secure configuration, just as we do for users who choose to run --no-sandbox. Perhaps just an infobar here, or re-use the existing one in chrome/browser/ui/startup/bad_flags_prompt.cc

Either way, this is Pri-3 at most.

I agree it is not a security bug by itself. 
It is just very bad practice to let anyone run a web browser with high privilege.

The scenario can be from a user clicking on a link from most installers requiring UAC.
I just tried and the first installer "was a hit":
I downloaded IrfanView installer -> asked for UAC elevation (proably to install for all users) -> started the installer and gave a link its EULA -> the browser spawned (if no other browser window was already opened) was privileged as HighIL ( S-1-16-12288 ).

Of course, chromium can claim that it's the responsibility of all the installers of the world to drop privileges or not giving a clickable link from their privileged installer. But let's be fair: that will not happen.