Interesting how do you do that exactly?
I was thinking you can just start the app that has permission to read the wallet, attach a debugger and then inject code to dump the wallet. It's definitely more complicated than reading a plain text file but not fundamentally less possible.
But really if you have that level of access it's game over anyway and you just MitM sudo and get root access, or use one of the many local privilege escalation vulnerabilities and get root immediately.

Huh I was under the impression that you could limit it to specific applications and dbus would tell kwallet the path of the application making the request (which could be done at least vaguely securely). But upon further investigation it just uses the "appid" that the app reports which it can apparently set to anything it wants. It's difficult to find information about this stuff though. D-bus is not very well documented at all.