It defaults to install for all users, but you can deselect the checkbox on the first page of the installer and it will be installed and put on PATH for the current user.
Python 3.4 is the latest version that defaults to a system install.
The main thing such a warning needs is a detailed help document for users to follow to fix it, which has to include the variety of scenarios that may have caused them to end up with another Python on PATH (including unrelated applications that embed a copy). Once we have that document, and it’s been reviewed/contributed to by those with an interest here, we can look at modifying the default in the case where there is no python.exe to be superseded by (or to supersede) the new entry.
The CVE was just an example. Any application may be impacted by having its python3.dll or vcruntime140.dll overridden, or any DLL installed by a package into the prefix directory. The only way we can avoid breaking other apps is to avoid putting anything on PATH besides our main executable, which requires some (breaking) changes to move the filesystem layout around and potentially change the python.exe on PATH (incompatibly) into a redirector.