This isn’t a security flaw at all. It’s that simple: As long as your user isn’t logged in, the keychain is locked. Once you’re logged in, the keychain automatically unlocks, so that native applications (like Safari) are able to retrieve a certain password that they need.

The reason why there’s no extra level of “asking the user for yet another password” is because you — as a user — are not the only one who’s accessing these entries. The keychain isn’t just made for managing account passwords, but rather for all kinds of different credentials (WiFi passwords, application passwords, the password for your AirPort router, AirPlay pairing codes and many other things).

Hiding these things be behind another level of security would basically result in you having to enter each password and every credential every time you connect your device to things like routers, other wireless devices and such. — Every. Time.

And when it comes to usability, this wouldn’t make any sense at all. Because of that, Apple already did a marvelous job with prompting the user for permission each time he’s trying to export one of these passwords. Assuming that the keychain is locked and you’d like to retrieve one of these entries via the shell or in Safari’s UI (for example), you need to enter the password of your user’s account again. It’s perfectly fine!

Handing Access to Someone Else

If you’re at the Apple Store working through an issue you’re having, you’re going to be logged into your user account. If your technical support team is troubleshooting with you, you’re going to be logged in…

That’s absolutely correct!

However, I need to agree with Lonczkor András: YOU are fully in control of this whole process. If you don’t want someone to access this data, you either shouldn’t give them access to your computer at all or simply lock the keychain by hitting the icon on the top left.

If opening the “Keychain Access” app every time you’d like to lock it doesn’t like a reasonable solution to you, simply open its Preferences and check “Show keychain status in menu bar”. This allows you to easily secure your data with a single click each time you give away access to your Mac.

Other Things You Would Call “Security Flaws”

Another important thing that you need to keep in mind is that there are probably hundreds of so-called “session tokens” on your devices.

These keys are usually sent over the web each time you’re accessing a certain website or application and are used to identify you on the server to which your “client” (the application/browser) is sending requests to.

All in all, this basically means that (with many services), another way to retrieve your data and trigger actions on your behalf would be to simply copy these session tokens over to another device and make some other requests from there.

Yet another example is your email client: Most of us (if not all of us) have some kind of email application installed on our Mac. It doesn’t matter if it’s the default one, Outlook or whatever. The end result is always that the person who (somehow) got access to your computer only needs to hit “Reset password” on whatever service you’re using, hit the link that comes with the email and enter a new password. Boom! He/she’s now logged in.