Ok? I don't know if it's the OS on behalf of the app or not. It's a password prompt that doesn't even have an affordance for biometrics, unlike other MacOS admin prompts. It's commonplace in MacOS applications.
This is an example of what I'm talking about https://www.reddit.com/r/Slack/comments/1geva4f/how_do_i_sto...
This is good for security becuase you're giving temporary access for a helper binary to do privileged stuff in a limited scope.
From the UX perspective, yes, it is triggered from the app.
It's been a long time since I used the Core Foundation API but you trigger a request, and then get back a token from the OS that grants you permission to do stuff.
I don't know if this is current or not:
https://developer.apple.com/library/archive/documentation/Se...