After the installation of Homebrew, the /usr/local can be modified by non admin users.
However, the default root PATH variable still includes the /usr/local/bin as part of the search path.

If command without prefix is called when logged in as a root user, executables in the directory /usr/local/bin could be run with root privileges which is a potential security risk.

Duplicate of #349 ?

I don't think so. That one is mainly for search path for homebrew executables, while this issue is for search path of root user's shell.

Interactive login as root should be avoided altogether and if an attacker can manipulate files in PATH, there's not much left to defend against.

I believe even though interactive login should be avoid as possible, there still exists scenario I have reasonably reasons to use root user.
After installation of HomeBrew, attacker can manipulate files in /use/local/ quite easily, since Homebrew change the ownership of the directory. In which way a non root user could write to this directory. However, the PATH variable still assume this directory is only written by root user and execute binaries in it.

If you believe that's all fine. Why not make you current user's home directory into the root user's PATH variable, so as you never use the root user.
Accidents should be avoided as a driver doesn't mean we can put whatever stuff into where airbags belong.

Homebrew should not be installed to /usr/local as this guide points out; the home directory is a safer place to keep it. And if the attacker can manipulate the filesystem as you, the game is essentially already lost.

You are right, Homebrew should not be installed to /usr/local. However, that is not something they officially offer support.

However do yourself a favour and install to /usr/local. Some things may not build when installed elsewhere. One of the reasons Homebrew just works relative to the competition is because we recommend installing to /usr/local. Pick another prefix at your peril!