Securing Electron Applications with OpenID Connect and OAuth 2.0

Hey there! Yes, it is technically possible for the developer to capture traffic there; that said, that is true for any process running with sufficient privileges on the desktop regardless of whether they are in focus (whereas if you’d be working on an app on iOS or Android, every app would have exclusive focus at any giving time hence outsourcing auth to the system browser would be an effective way of preventing keylogging).
Use of the system browser on the desktop is problematic, mostly for user experience limitations with today’s browser support on desktop operating systems. In fact, most desktop apps (slack, office, visual studio, visual studio code, even the google drive app) nowadays use some form of embedded browser. Desktop clients using the system browser are rare (github is the only example I know of, really) and do have usability challenges.
There is good progress occurring in the modern operating systems, see for example the new features in Apple beta OS making it possible in the desktop to invoke the system browser in the same style. But for the time being, if you want to target current OSes the embedded browser is what most native clients do on desktops.