> So, is there a way, when I sit on a computer, to know that I'm entering my password in XDM and not in some other program a malicious user ran?
Well, let's go bit by bit.
1. Ctrl-Alt-Del is only a relatively safe. The code that handles it is secure only because it belongs to the Windows kernel, but it resides in a file on the filesystem, and in memory addressable by code running in ring-0. So any exploit that gives you write permissions for that file, or ability to run ring-0 code (install a driver) can allow you to subvert it. Unfortunately there's a TON of such exploits, so I guess this only serves to prevent wannabe hackers and pranksters.
2. Is your login the only password you type on your computer? I bet not. What about all those? Depending on the software you use and web sites you vist it can be a considerable number of passwords entered. And probably those include the ones a malicious program would really be interested in, actually.
3. And yes, there is: configure your XDM so that it looks different from the default. Don't forget to mark the configuration files to be only readable by root.