Still fits "It feels to me more like OSes ought to be more secure."
New USB-HID keyboard? Ask it to input a sequence shown on screen to gain trust.
Though USB could be better too; having unique gadget serial numbers would help a lot. Matching by vendor:product at least means the duplicate-gadget attack would need to be targeted.
E.g. https://shop.hak5.org/products/usb-rubber-ducky