It doesn't always prompt for a password or, more accurately, fingerprint scan on newish devices. In fact, standard applications that live in /Applications don't need it.
Nor do free apps downloaded via the App Store, as I just tried. Although this may be a setting somewhere.
But does it matter? You know what doesn't need a password? Accessing your photos. There's really very little you can do after authentication that you can't do otherwise. Maybe, after exfiltrating all the user data, you can also update macOS.
Sandboxing is really far more important than protecting sudo privileges, and I believe Apple is doing a fairly good job in that regard.
Nor do free apps downloaded via the App Store, as I just tried. Although this may be a setting somewhere.
But does it matter? You know what doesn't need a password? Accessing your photos. There's really very little you can do after authentication that you can't do otherwise. Maybe, after exfiltrating all the user data, you can also update macOS.
Sandboxing is really far more important than protecting sudo privileges, and I believe Apple is doing a fairly good job in that regard.