So the attacker makes sure that your xterm is thunked with an LD_PRELOADed library that reports a successful grab without actually performing one. Xterm continues along its way and your password still gets grabbed. Xterm's grabs are intended to secure against hostile *X* applications that may be running on machines out of your control. That's simply not the common threat model any more, and instead it just results in people thinking that they're secure when they're not.
(Heck. The attacker could ignore X altogether and just thunk read and write in xterm and read everything going over the pty. You'd end up with a secure channel between the server and the xterm, which would win you absolutely nothing overall)