The reason this is strange behaviour is that when you try to access private info from within keychain you have to enter your user password each time. Using this command you just need to click on the allow button.
The keychain only allows applications that you authorize to access a given password, right? So for example, when I upgrade Transmit, it needs to ask for my permission to access the passwords again. Does that give it access to everything or just a specific password / set of passwords?
An application can only read passwords you've specifically allowed it to. When you upgrade Transmit it only gets access to that subset.
If you're curious go to Keychain Access, double click an item and look at the Access Control tab. You can even force password entry there if you want extra security on certain items.
Perhaps, but the Transmit developers could actually even use code signing to get Keychain to recognize multiple versions (new ones, but also alternative builds such as might be distributed by the Mac App Store) as the "same" application (Google "designated requirements"). Either way, though, barring security bugs (including unnecessarily permissive designated requirements being used by other apps), this should only give Transmit access to passwords you've specifically authorized for Transmit. Of course, if Transmit were malicious and one of these passwords happened to be your local login password...
The keychain only allows applications that you authorize to access a given password, right? So for example, when I upgrade Transmit, it needs to ask for my permission to access the passwords again. Does that give it access to everything or just a specific password / set of passwords?