Needing authorization for changing sensitive permissions is a good protection from malicious input devices like this one: https://vid.puffyan.us/watch?v=LRVlaNfthbg
If the only thing stopping a malicious usb from enabling native code debugging, disabling secure app spawning, and a lot of other things outside the security settings is just a clickable toggle then we may have a problem, IMO its better if some settings are protected even if the device is unlocked.