I could have told you about that exploit 2 years ago. It's so easy and the Group policy objects surrounding Task Scheduler are spotty. It's insanity that a standard user account can just set or edit a task with a SYSTEM token. Plus if the task points at a file or folder, you can just delete that folder/file and replace it with with a folder/file with the same name and extension. Task Scheduler does not check if it's legitimate.
It's the reason why I got Kaspersky Total Security last year because it can monitor and restrict file and folder permission changes.