Password prompt for creating a backup and adding a device

Expected behavior

When adding an additional device or creating a backup in DC-Desktop the OS password for the respective user is required.

Actual behavior

When adding an additional device or creating a backup, no password is requested in DC-Desktop.

Explanation

This is already the case in the other DC versions. I consider the absence of this feature in DC-Desktop to be a major security risk. Since many users likely use DC on both their smartphones and desktops, it is possible to bypass this security feature via DC-Desktop.

An attacker—who could be, for example, an abusive partner—who gains unnoticed access to the desktop version can transfer the profile to another device, read all chats, and send fake messages. The victim would have no idea that the profile had been compromised.
To make matters worse, this feature in DC is called “Add Second Device” and not “Add Additional Device.” Many users who aren’t tech-savvy believe a profile can only exist on two devices at the same time. As a result, they aren’t aware of the risk.

You don’t often see this “enter your OS password” prompt in Desktop apps, I am not sure how one would implement it.
Maybe one has to look into this “passkey” thing? This could be either a hardware key or just a PIN code (on Windows), or some OSes are capable of using face recognition for this.
One can start with Web Authentication API - Web APIs | MDN (except we probably don’t need to store credentials, we only need the OS to prompt for authentication).