I felt the need to comment because this is a real WTF. It opens up all kinds of attack vectors.
For example: Many RPMs have scriptlets that run on installation or upgrade. Have any of these scripts been designed to be secure in the face of a malicious local non-root user, who can do things like manipulate the environment, etc? Of course not, because the package maintainers rightly assume that anyone installing a package has root access anyway, so they don't need to protect against the possibility of a local user gaining root access.
This move gives malicious users several thousand new, juicy targets.