> Say your computer is infected, the malware won't silently do it: it will have to interact with you.
MacOS is so needy about all kinds of fingerprint/password-related things (and has no context of secure desktop) that it is trivial for malware to simulate and no way for the user to tell whether it's genuine, so it's not a real barrier at all.
If the key is marked as exportable the malware will happily export it for you. The only way to defend against that is to make the key non-exportable to begin with.
MacOS is so needy about all kinds of fingerprint/password-related things (and has no context of secure desktop) that it is trivial for malware to simulate and no way for the user to tell whether it's genuine, so it's not a real barrier at all.