If they have access to the account that is being used normally, they can modify the (user-accessible) settings to trick the user into running malicious code and giving them access (or causing trouble even without access to the root account).

If you lose physical control over the machine, all bets are off because an attacker can modify the hardware to do nefarious things.