Asking you if you trust a device before opening a data connection to it is simply not the same thing as asking the person who just created a shortcut if they should be allowed to do that.
I once encountered malware on my roommate’s Windows 98 system. It was a worm designed to rewrite every image file as a VBS script that would replicate and re-infect every possible file whenever it was clicked or executed. It hid the VBS extensions and masqueraded as the original images.
Creation of a shortcut on Windows is not necessarily innocuous. It was a common first vector to drop malware as users were accustomed to installing software that did the same thing. A Windows shortcut can hide an arbitrary pathname, arbitrary command-line arguments, a custom icon, and more; these can be modified at any time.
So whether it was a mistake for UAC to be overzealous or obstructionist, or Microsoft was already being mocked for poor security, perhaps they weren’t wrong to raise awareness about such maneuvers.
But anywho, cve.org lists 78 shortcut vulnerabilities across many platforms.
I know you'd like to believe the world we live in shouldn't require permissions for a user to create a shortcut and then access it, but that... Is actually the world we live in, and have been in for a very long time.
Security is hard and it's not getting any easier as system complexity increases.
If you don't believe me, ask your favorite LLM. I asked Gemini and got back what I expected to.
If the user manually creating a shortcut is so dangerous, why did Microsoft remove that permissions prompt when they fixed their terrible initial UAC implementation?
Remember when they used to mock this as part of their marketing?
https://www.youtube.com/watch?v=DUPxkzV1RTc