From KeyChain's point of view, this command-line utility, /usr/bin/security, is no different from other GUI applications like Mail.app and Safari.app that relies on KeyChain to supply remembered passwords. If you expect KeyChain to prompt you for your master password when /usr/bin/security asks KeyChain for passwords, then you will be prompted every time Mail.app checks your email.
Actually you can configure KeyChain to do just that: just set the keychain to lock after 0 minutes of inactivity. But there is always the tradeoff between security and convenience. And when you give away physical access and a logged-in session away to a malicious user, offering protection will require a lot of inconvenience.
Actually you can configure KeyChain to do just that: just set the keychain to lock after 0 minutes of inactivity. But there is always the tradeoff between security and convenience. And when you give away physical access and a logged-in session away to a malicious user, offering protection will require a lot of inconvenience.