UAC on Linux would require an almost fundamental architecture change, in a way contrary to most of how Linux is used now.
I would say the challenge is not in the architecture, but in the general fragmentation of the ecosystem. PolicyKit is basically an equivalent to UAC, but it’s not used universally by everything that needs elevated access.
I think the basic premise of this question, that Windows and Linux somehow have a different foundational security model that is or isn’t based on passwords, is not really true. Passwords play more or less the same role for any modern operating system – be it Linux, MacOS, Android, iOS, etc.
The only major difference is that instead of UAC, Linux has a variety of options (sudo, policykit, run0), which are implemented differently across different distributions. If your privileged user doesn’t have a password, in some cases this could lead to any program being able to elevate their privilege quietly, unlike UAC.
However, in many distributions you can set up a user with a password and enable passwordless local login, which would be almost equivalent to windows with no password.
Answering your question directly, the major threat to most consumer users is physical compromise or theft of device. Your statement that “physical access is game over” is not entirely accurate: disk encryption with a password is a very strong protection against unauthorized data access, but you need to use a password (doesn’t matter if it’s Linux or Windows).
I agree with other comments here, but, to be honest, this year has been really good! Expedition 33, Silksong, Hades, The Alters, Nightreign, Blue Prince, Dispatch, to name just a few.
Yeah, you’re not wrong. What I meant was that polkit is conceptually equivalent to UAC (at least it is supposed to solve the same problem). However it’s not really a fair comparison, as “polkit on Linux” isn’t one concrete thing you can analyse, it’s more of a pile of Lego blocks, which you could assemble any which way. In theory, with Wayland you could build a secure polkit agent that would not allow the malware to interact with it.
In reality this is a moot point, as most privilege elevation is still done via sudo anyway.