Indeed, to inject a code in a running process requires that before being carried out some actions. Once the code is in memory, it can perform any action allowed to the same user. If the user has an administrator access of the system, the latter can be completely compromised, but if the account has a limited access will require additional steps to attack the system completely.
So another good reason for not using Admin account.