If you are going to develop SharePoint workflows either with Visual Studio or SharePoint Designer you will have to think about security - regardless you want or not.
The most important thing is knowing the windows identity under which your activity will run on SharePoint. That's either the IIS application pool user, in case you stimulate the workflow via the web interface or the Windows SharePoint Services Timer user for scheduled stimulations. The workflow operates with the system privileges of its windows identity. This behavior is the same for both Visual Studio and SharePoint Designer workflows.
Because SharePoint has a security model of its own the windows identity doesn't matter! The granted SharePoint privileges depends on the current SPUser. In case of a Visual Studio workflow the SPUser get from the SPWorkflowActivationProperties' objects is the the SHAREPOINT\system user with full SharePoint privileges.
SharePoint Designer workflows behaves another way. The current SPUser get from the WorkflowContext's objects (e.g. WorkflowContext.Site) is impersonated to the workflow's author, the user who started the workflow. Means the workflow operates with the SharePoint privileges of the author (usually contributor rights) and the system privileges of the windows identity (Application Pool/Timer Service user)!
Impersonation snippet taken out of the WorkflowContext.Site property:
SPSite site = new SPSite(this.m_siteId);
SPUser user = site.RootWeb.SiteUsers[this.m_inProps.Originator];
SPUserToken userToken = user.UserToken;
this.m_site = new SPSite(site.ID, site.Zone, userToken);
If you write a custom activity for SharePoint Designer as described here, you may want to undo this impersonation. You can use the following code snippet in the activities' execution context to undo:
SPSite site = new SPSite(__Context.Site.ID));
SPWeb web = site.AllWebs[__Context.Web.ID]);
You don't need to use the SPSecurity.RunWithElevatedPrivileges method because the current windows identity is the application pool user.
Now the site and the web run with the SharePoint system user's privileges.