The fact that any application can spoof the os password prompt makes me wonder why they don't have a prominent feature to show the prompt is from the OS. On windows there is the secure desktop with the dimming effect.
Note that that is not what that "effect" is for. It's not, strictly speaking, even an actual "effect". Windows is creating and attaching another "desktop" to your screen, and putting the dialog there. The alternate "desktop", the "Secure Desktop", is inaccessible from any other software on the computer, so a piece of malware can't say "Ask for permission to do blah, then find the 'Allow' button and click it" The "dimming" is to make it clear that this dialog is completely modal, and you can't get to anything else while it's around. It's in no way meant as a "Look, this is an OS prompt", and it's quite easy to match the effect from another program, just grab a screenshot, dim it, throw it up full screen, then throw your dialog in front of it.
This is true, but in terms of how the user interacts with the dialog, they can more or less associate the dimmed background and Secure Desktop dialog box with a "from the OS" behaviour. This happens because as you said, the secure desktop is "inaccessible from any other software on [your] computer."
I don't actually know if I fully believe that. I haven't seen the internals of how it's implemented, but at the very least most users can assume that only the OS can bring up the prompt, and only the user can make it go away.