xorg letting a malicious program to record keys is not a security issue, its a weakness
having that malicious program on the system, thats the security issue
if you are implementing a display protocol that aims to replace the xorg, the focus should be compatibility not fixing security weaknesses especially if you dont have any better solutions, and wayland does not have a better solution for global keys, compositors are just implenting it on their own hacky way