PA-2019, the installer was changed to lay down permissions differently so that ProgramData generally has Administrators: (F) and SYSTEM: (F) set recursively.
It's possible to create an "administrative" user based on their token privileges, but without actually making them part of the Administrators group. The check inside Puppet at for elevated_security? at https://github.com/puppetlabs/puppet/blob/e7839794a1d7d393e6716927764c1276494123c2/lib/puppet/util/windows/process.rb#L183-L205 will then pass, despite the user not being in Administrators.
If such a user is assigned to the Puppet service, then pandemonium ensues, given how permissions are set on ProgramData\PuppetLabs.
The admin? check should be altered to ensure the user is part of Administrators or not. This determines where data can be written for that user.