That's not an answer. Yes, I can run xev on my machine against my X session and see my keystrokes. It is not obvious that this is a problem. A more plausible angle would be that if an attacker compromises one application - say, a web browser - then they could keylog passwords. Of course, most people don't sandbox their browser so that's the least of their problems if it's compromised (ex. https://access.redhat.com/articles/1563163 let an attacker steal ssh keys).

The secure flag from xterm binds/locks kb and mouse and forbids snooping.

You're saying things, but not making an argument or even engaging the discussion really. What's the point you're trying to make, if any?