[exabrial]

So Windows doesn't have an equivalent of OSX Keychain, where an item can have a per-application ACL? [or I have misunderstood the OSX Keychain]

[HHad3]

Correct, Windows does not have per-application identities that could be used with a keychain service. Furthermore, every application in your Windows session (unless sandboxed) has access to virtual memory of other applications in the same session.

On macOS, applications address spaces are isolated and code signing certificates are used for identifying application requests to the keychain.