But that code would have to be downloaded and run manually, which means that any compromise would become obvious as soon as the first person noticed something amiss. With Steam's automatic updates, everyone could be hit near simultaneously with a new exploit and most would be unaware of anything unusual, due to all the other update activity.
GOG's Galaxy could well pose similar security risks to Steam's client, but their existing system is less risky than standard downloads from many mainstream websites.
As for UAC, it's designed more to annoy programmers and users into storing data outside the Program Files folder, which not only breaks older games but also hampers modding tools (this recommendation is repeated for
modding Baldur's Gate with WeiDU for example). So GOG are perfectly correct to recommend against it - there are far better security tools out there.
Did you miss the part about GOG installers setting every game to run as administrator? Letting a program run with administrator access gives it access to more than just writing to protected directories. This is far more a security risk to users than Steam having a helper service running as admin (the Steam client itself is not running with admin privileges).
UAC is not designed to "annoy programmers and users into storing data outside the Program Files folder." It is designed to separate programs running with user access and full system access. Newer programs for Windows (properly written) are designed to be stored in the protected Program Files directory and store user data in the user's appdata directory. Storing programs outside of the Program Files folder is a good practice for older programs not written for the newer security scheme, but the directory permissions need to be set to give the user full read/write access to it or else it will trigger a UAC prompt for admin privileges.
The Steam service has a signed security certificate. If some kind of malware or virus infects it, you will know. GOG's games aren't signed, and having users run them as admin won't know if they become infected.
GOG recommending users turn off built in security components and run every one of their programs as administrator is ridiculous. You standing up for GOG's lack of security concern and setting every program up to run with administrator privileges, while blasting Steam for having a digitally signed service running just shows your bias against Steam.
