Sensitive features like screenshots, input methods, screen locking and whatnot are behind extensions (or portals). I'm not familiar with the state of GNOME/KDE/Flatpak, but at least on the wlroots side of things it is true that currently these extensions are enabled and accessible by any process that can talk to the Wayland socket (breaking those security benefits, as you say). This is changing with protocols such as security-context that allow a sandbox engine like Flatpak (or your custom scripts) to restrict what features apps can use. (so your browser can't register an input method, or some random app can't lock the screen)
https://gitlab.freedesktop.org/wayland/wayland-protocols/-/m...
https://github.com/swaywm/sway/pull/7648
https://github.com/flatpak/flatpak/pull/4920