LD_PRELOAD is how they can log keystrokes.
For example, you aren’t storing your passwords in /home/user (I hope) but you are entering them into websites in your browser. LD_PRELOAD can hook into the browser and grab passwords.
If an attacker can set LD_PRELOAD globally, security in the user’s session is basically non-existent. Not even sandboxing etc. would help as they can just hook into the sandbox program too.
LD_PRELOAD can also likely introduce new arbitrary code to bypass
noexec/TPE/apparmor execution restrictions. They can probably run
LD_PRELOAD=/path/to/malicious_libary /bin/echo test
printf() to a new function that exploits some vulnerability.