Just like any software or hardware LAN or WAN accessible service that needs to access information in your login account in order to provide the requested services, a key in your login keychain must be available for the service or else the service will have to ask you for a password to provide the requested service.
The problem is, most people don't realize how the keychain system works, and they simply enter their password when prompted at the time they are requesting the service. Then later, when they remove the service from their keychain or change their login password, the service prompts the user for the new password. Also, many people forget which services they orginally requested and that makes it seem like the services had been secretly entering their login account and gaining access to information.
But the keychain access allows the application to access its own keychain, or that keychain that it created in your login account when you first set up the service.
I am just now learning about this, but it seems that the keychain system (built on Kerberos protocols) is very much similar to the file and directory permissions system. The difference is that the file and directory permissions is for a single computer, while the keychain system provides security over any kind of local or global network.
I have been glossing over learning about keychain services, as I used to do for file permissions, but now I see both of these security standards are critical and important for maintaining proper function and security over any kind of computer system or network.
ABOUT KEYCHAIN SERVICES