Obviously I do trust most of the programs that I install to not be malicious, however, I do use npm as a package manager for my own projects which is commonly accepted to be a vector for malware due to the sheer number of dependencies each module and it's dependencies can have. I'm concerned that a malicious program that I install on the user level could then trick me into somehow giving up my sudo password through this method. In malicious hands this could probably be used to edit aliases or append a directory of the attackers choosing to the beginning of the $PATH. My understanding of user permissions is that any process spawned by my user will then have read/write permissions to this file.
