My personal belief is that users should not be required type their password into random applications, terminals, and pop-up windows. Of course, login screens can be faked too.

So my main user account does not have sudo permissions at all, I have a separate account for that.

I'm lazy, so I have sudo and 1P/op gated by biometric. If for some reason biometric doesn't work (which happens a lot in Ubuntu... sigh...) I have a long alt-password that works instead. Otherwise I never type passwords, I only get them from 1P, because they're all complex and unique so I wouldn't remember them anyway. If I get a prompt I wasn't expecting, I cancel it.