[This is preliminary documentation and subject to change.]
Custom actions run at user privileges and have limited access to the system. Custom actions can access the system for queries, but all updates are passed through a security boundary for subsequent execution, as described in Installation Mechanism.
The only way a custom action can cause a change at elevated privileges is by manipulating tables used by built-in actions.