Ah, but how does this Superuser.apk achieve root privileges? By calling the setuid root `su` program, you say.
And how does this setuid root program actually gain root privileges? Why, the OS is able to execute arbitrary code with arbitrary privileges, and it makes an exception for `su`.
Wait... so Android could run processes with root privileges without asking you? Whoa!
Now consider that adbd on a rooted device runs with root privileges...
Superuser.apk does not achieve root privileges and su does not blindly run your program with root privileges. su asks superuser.apk, if your program is allowed to run as root and only when superuser.apk agrees (and displays toast), then your program is run.
Also, the arbitrary privileges are reserved for setuid programs, which is not easy to achieve. Basically, su and Superuser.apk are gatekeepers to uid 0, which short of bugs, you can't get around.
Also, did you know, that you can disable adbd? Or remove root privileges from it?
And how does this setuid root program actually gain root privileges? Why, the OS is able to execute arbitrary code with arbitrary privileges, and it makes an exception for `su`.
Wait... so Android could run processes with root privileges without asking you? Whoa!
Now consider that adbd on a rooted device runs with root privileges...