Surely you don't imagine I rely on Controlled folders for all my security.
That's not the point. The problem is, its protection is very, very specific, and attacks successfully avoid it.
I'm not aware of any way to circumvent Controlled Folders other than by replacing an existing ".exe" image that's authorized to access those folders.
You don't need any special "way" to do that. The reason there is malware running on a system in the first place is usually (that is, if it's not the user manually starting it) an exploited vulnerability in running software. Malware already executes on behalf of that software, some existing process. It has to do something special, like writing an launching a separate executable, to be recognized as something else. What malware authors often did before for convenience, because then everything that anyone wrote anywhere was executable and had user's (in not administrator's) permissions already. Those times are gone, so malware authors adapted to it.
Nevertheless to make it _look_ like the request is coming from a different executable, it's sufficient to make an executable with the name that looks like legitimate one (for example, with identical symbols from a different language, like "fоо" instead of "foo"), place it into a directory in a very long path that can't be displayed whole, reproduce the whole warning message inside the file name, etc.
This is why properly designed security mechanisms should never, ever ask the user to approve anything at runtime. Because if permission model does not know, the user certainly does not know, either.
