“User root” is not the class of root access the vulnerability achieves:
- In “user root”, root access are derived to a proxy, a root manager (apps like SuperSU, Superuser, etc), requires the user to accept that permission (which is automatically done if you checked the permanent option).
- On the contrary, this vulnerability doesn’t request permission, but earn it by other means.
It’s basically irrevelant whether your device is rooted already or not; it will achieve it anyway.
Nope, you are completely right. No one is going to force you to install some app you won’t want to install [1]. But anyway, it comes to be a matter of trust on the source (developer) and channel (app store, website if provided as an APK).
[1] = well, Google if you have GMS, but just some few people protested when Google globally forced the installation of their Google Play Services without user interaction nor acceptance, even on old devices with lack of space and absolutely no need for the new backported features. (That was in fact the event that definitively changed my mind and the trigger for me to investigate NoGApps/microG, btw)