So, generally each application needs to be authorized separately. I should have to type my password to allow this application to access my passwords. If I can just click "allow" with no password, then so can anyone else trivially with Terminal access.
If I go into Keychain access, and ask to see a password, it prompts for my master password before showing it to me. This should too.
From KeyChain's point of view, this command-line utility, /usr/bin/security, is no different from other GUI applications like Mail.app and Safari.app that relies on KeyChain to supply remembered passwords. If you expect KeyChain to prompt you for your master password when /usr/bin/security asks KeyChain for passwords, then you will be prompted every time Mail.app checks your email.
Actually you can configure KeyChain to do just that: just set the keychain to lock after 0 minutes of inactivity. But there is always the tradeoff between security and convenience. And when you give away physical access and a logged-in session away to a malicious user, offering protection will require a lot of inconvenience.
If I go into Keychain access, and ask to see a password, it prompts for my master password before showing it to me. This should too.