A nontrivial amount of macOS software, even from large, well-known vendors, has some step during the installation process where it puts up its own dialog asking for your password (and, I strongly suspect, shells out to "sudo" when it gets it).
This is part of why I think it’s a good idea to pursue an OS design where for the majority of user-facing software, installation does not require administrator privileges.
This would enable the addition of a system where in order to get admin privileges, installers and software must request for the system to present UI informing the user of exactly what would be installed and asking the user to approve or deny. This also lets the OS keep a record of the installation to allow easy user removal.
My experience is that this is mostly developer tools that are doing things you want administrator access for anyways. And, for most Mac apps, there isn't an "installation process": download and drag to applications and you're ready to go.
The line between the things you have to do to use your stuff to get things done, and the things you shouldn't do if you don't want to get scammed or hacked, has gotten blurrier and blurrier. Troy Hunt has written a few "indistinguishable from phishing" articles (e.g. https://www.troyhunt.com/when-bank-communication-is-indistin..., https://www.troyhunt.com/thanks-fedex-this-is-why-we-keep-ge...) and I see more and more of this kind of thing all the time.