It's literally how it's always worked, and not just on Linux - this is standard across desktop operating systems. Except MacOS, and very recently

Kwallet is for encryption at rest, so an attacker can't read your secrets if they steal your computer. It IS NOT protection from your own applications running as the same user.

That's just not how Linux desktop works. It's a desktop operating system, it's not iOS. All apps running as your user have your users permissions.

Is it an outdated security model? Yes, enter sandboxing and newer kernel features. If you're not doing that though then you won't get that.

Just run your shit in flatpak, problem solved. Or better yet, don't install malware and only download trusted open source software from trusted repositories.