Programs running during the user session are often running as that user.
The "correct answer" to this is probably that there isn't a good answer here.
Security is a damn minefield and it's getting worse every day.
There is no universe in which it makes sense to ask the very user who just created a shortcut if they should have permission to create that shortcut.
This is why Microsoft was so widely mocked for just how bad their initial implementation of UAC was.
"iPhone Shortcuts always asks permission to access file"
https://discussions.apple.com/thread/254931245
iOS Shortcut danger
https://cyberpress.org/unveiling-risks-of-ios-shortcuts/
But anywho, cve.org lists 78 shortcut vulnerabilities across many platforms.
I know you'd like to believe the world we live in shouldn't require permissions for a user to create a shortcut and then access it, but that... Is actually the world we live in, and have been in for a very long time.
Security is hard and it's not getting any easier as system complexity increases.
If you don't believe me, ask your favorite LLM. I asked Gemini and got back what I expected to.