@MikeTFB OK, great, the setup.exe activity is normal!
FYI, controlled folder access is part of Ransomware protection under Windows Security. Any folder can be protected; I protected all of mine. The first time an application tries to write to a protected folder, an alert pops up and the app can be permanently whitelisted.
I think I've tracked down the problem: setup.exe from the original AppData installation has been trying to write to the standalone temp directory.
The latest version in the standalone Application folder is 7.0.3495.27 (Dec 20). The latest in AppData is 7.0.3495.29 (Jan 8). Before that, updates in the standalone seemed fine, I'd see the restart alert and restart. So I'd guess that the original setup.exe has been trying to update the standalone and not having access to the standalone folders. Why now, I don't know.
I can try to whitelist setup.exe from the original install, but not sure why it hasn't required that until recently.
Is setup.exe from the original install supposed to be handling updates for the standalone as well?