Why would it need sudo? If that were the case, then every web browser and every IM client and everything else on your computer with a password would need sudo.
You're telling your computer to save your passwords and give them back to you later. You shouldn't be surprised when it gives them back to you later.
So, generally each application needs to be authorized separately. I should have to type my password to allow this application to access my passwords. If I can just click "allow" with no password, then so can anyone else trivially with Terminal access.
If I go into Keychain access, and ask to see a password, it prompts for my master password before showing it to me. This should too.
From KeyChain's point of view, this command-line utility, /usr/bin/security, is no different from other GUI applications like Mail.app and Safari.app that relies on KeyChain to supply remembered passwords. If you expect KeyChain to prompt you for your master password when /usr/bin/security asks KeyChain for passwords, then you will be prompted every time Mail.app checks your email.
Actually you can configure KeyChain to do just that: just set the keychain to lock after 0 minutes of inactivity. But there is always the tradeoff between security and convenience. And when you give away physical access and a logged-in session away to a malicious user, offering protection will require a lot of inconvenience.
You're telling your computer to save your passwords and give them back to you later. You shouldn't be surprised when it gives them back to you later.