Applications that masquerade as other applications for the sake of fooling user are a fairly well-known security threat ever since someone printed "login: " on their unix terminal with the intent of capturing the next user's credentials.
I can't see a way to usefully constrain random application's behavior such that this couldn't ever be a problem. That's why security-conscious people invented the ctrl-alt-del keystroke combo that can't be caught by applications and which will always present the system log-on prompt. After that people can be instructed to follow a procedure that ensures that login details won't be written to program that merely looks like system's login prompt.
If security relies on user identifying windows and acting based on what they look like, I guess security can't be attained. The pixels are always under attacker's control, one way or other. And I know of no way to sensibly secure, say, policykit's authentication prompt. Anybody can fake that, it's just a window... I have some hope that Weston for instance could make it impossible to make ordinary windows behave quite like security-critical windows. Microsoft chose to train people to look for darkened desktop with a single authorization popup window in middle of it. I've no idea if this is something no other application can fake, or what the point of that is, but it is a tough problem to solve.