Apple - Security implications of user owned directory in /Applications

On macOS, root doesn’t play much role as any user that is an administrator functions with the same power. When you type any admin user and that admin password in a permission dialog, that makes any user (even a non-admin user) root.

Some apps have a script or framework to change ownership to root, others don’t change it (like when you copy an app from Downloads or a disk image)

The information you show makes no difference security wise. This is just permissions on a folder and package that anyone can read and execute. Other mechanisms check for known bad software and validate that parts of the application have not been tampered with.

You can test this yourself quite easily:

Choose an app that has myUser / admin owner and group, and try modifying it. Then do the same for one that is root/wheel.

The first can be modified (by myUser) without authorization. The latter requires authorization.

So theoretically, a malicious script running as a process of the same admin user could modify or delete such apps at will.

@bmike is right that such modified apps may be prevented by the OS. However, as another test, I just modified some bytes of the binary file on an app, and MacOS did not prevent its launch. (The app crashed, mind, but MacOS still tried to launch it!)

As for apps in myUser/Applications: those files are inside the user's domain, and so there is the expectation that the user (and any user processes) should be able to write to them.