For instance: opening your web browser, opening your already logged in google account and checking your location history.
If someone were doing this over RDP you'd be able to see it happening but is it possible for an attacker that has control of your system to accomplish this without you noticing anything? No cursor movement, no window opening, etc.
If someone were doing this over RDP you'd be able to see it happening
This is actually completely false, unless by "see it happening" you mean "observe there was another session live in e.g. Task Manager". "Client" Windows SKUs (that is, non-server) don't allow more than one graphical session to be live at once - if somebody RDPs in, they either take over your session or start a new one - but either way you don't see what they're doing (though you will get booted out to the lock screen, and if you log in again, you'll boot them off).
Server SKUs don't have this restriction, and allow approximately as many sessions as the system resources will support (there might be a hard cap but it's not anything I've ever encountered). Usually all of those will be over RDP; even if the server isn't technically headless it's rare you'd log in locally. Those sessions are separated by a security boundary; sufficiently-privileged users can see across it, but otherwise, your only sign that other users are active on the machine will be in things like total resource usage and maybe a locked file that you didn't lock.
Another possibility is X11 forwarding or a similar approach, over SSH or any other network protocol that allows packet forwarding and doesn't start a GUI session. Windows now has a built-in SSH server, but anything that allows both text-based remote login (which could be SSH, or Powershell remoting, or running commands via RPC, or old-fashioned telnet, or...) will work. If you remote in via "console" apps (every Windows executable is flagged with whether it is a "console" or "Windows" a.k.a. GUI app, although in practice either kind can both draw on the screen and interact with stdin/stdout/stderr), then that's not subject to the one-live-session limit. If you then run an X11 (or similar) server on the remote client, and forward that port over the connection, then the apps on the remotely-controlled machine will display on the controller's machine with the victim being none the wiser (unless, again, they can look at system resource usage). Of course, Windows apps don't generally render to X11, but you can in fact run wine in WSL, and wine renders Windows apps to X11...
If we are assuming a full kernel level hack on your system then the following is true:
A GUI isn't needed to do anything at all on your computer, everything can be done with pure code.
BUT THEN
If the hacker was also some kind of playful artist, he could create an invisible shell which would mirror your GUI without actually touching it. He would have access to everything, all your windows, their locations, icons, your status bars, desktop, your tabs, everything. And he could manipulate all of it, essentially using your whole computer as if it was his own through his special "GUI copy app" that would take care to never interfere with your GUI.
Window movement, memory reading and writing can all be accomplished through his invisible GUI shell which isn't really your GUI, but is a clone of it with all functions duplicated and mirrored. Probably based on explorer.exe.
Of course he would have to decide whether or not to propagate YOUR GUI manipulations over to his version. He could choose to do so, just to see what you are doing, then override it and go about his business as if he were sitting on the computer in front of you.
Such tool would only be made by somebody who was more interested in making a fun art project rather than getting stuff done.
But is it possible? Absolutely? Has it ever been seen in the wild? I don't think so, only because the hacker priorities don't mix.
