malware – Process Injection and Process Isolation by OS

If the OS is responsible for ensuring that one process cannot access another process memory space, and the point of process isolation is to keep processes separate from one another, then how can a malicious process perform actions on another process, say for example a DLL injection?

Example: In the Windows API how can a malicious process call CreateRemoteThread on another process to create a malicious thread under that target process? Isn’t that an inherently unsafe API call? Forgive me, I am new to malware analysis. Recently started the topic.