If you run Turbotax normally it runs without the admin token, but by running "C:\Program Files\TurboTax\Individual 2023\64bit\TurboTax.exe" as admin, that TurboTax.exe process runs the unsigned executable, and no elevation is needed to update files. The reason the UAC prompt is yellow instead of blue is because the certificate is not trusted by the system when elevating. You can see if a process is elevated by going to the details tab in Task Manager and enabling the "Elevated" column.
I took some time to look at the permissions of the helpers in "C:\Program Files\Common Files" and the folder and files only have write permissions from administrators and system, so an attacker would've needed to do a privilege escalation to replace those "Test" signed .exe files anyway.
The problem you have with unsigned executables is that they can be swapped out, if an attacker can write to them, and elevated unexpectedly.
I am unsure why the Intuit Update Service v5 (in services.msc) doesn't remove the need for anything to be launched. You don't need to elevate your session to update Google Chrome, for example, because it has a service do it. Either way... the effectively unsigned .exe should be fixed by Intuit.
