It doesn't capture every keystroke in the system, those sent to an elevated window are not sent to the low-level hook: https://stackoverflow.com/q/52696285
This fits with the security model of Windows, and PCs in general. Processes from the same user can see and interact with each other, but not with those of another user. Users are expected not to run any process from shady vendors.
This might seem lightweight security in the age of too much internet where everyone runs anything, but it is what enables some kind of openness and control on those platforms, vs. the very controlled interfaces of smartphones.
Fun fact: every videogame on Windows is potentially a userspace keylogger if you let it run in the background while, e.g. browsing the web etc.
Basically, any application that uses the Raw Input API can request to receive raw device events even when the application is not running in the foreground, by using the RIDEV_INPUTSINK flag.
The app will then receive every raw device input packet that the hardware sends to the system, replete with timestamps[0] and your mouse position when the event happened[1].
In the case of keyboards it would provide the virtuak-key codes and scancodes[10].
Rawinput is used by modern FPS game like Valorant[11], so if you leave it running in the background it may potentially be able to observe your every single keystroke while you use your browser, enter passwords, etc.
TPMouse, my opensource trackball-emulation script that lets you use the homerow as a trackball for your cursor[100], uses Raw Input with the RIDEV_INPUTSINK option so that it runs entirely in userspace without needing to hook to low level drivers.
It is certainly a double-edged sword -- for open source it's a convenience blessing since what you're running can be inspected directly, but in the case of close-sourced games like Valorant you're relying on your trust of Riot Games's intentions and competence.
This is vital for accessibility tools, like screen readers for blind people. Also for as-you-type word prediction tools, autocorrection that works globally.
More generally power like this lets you turn Windows machines into A Thing That Does Just What You Want, rather than a locked-down thing like an iPad. Which are also great, but a different use case. For example, you could use this for exam proctoring, or kiosks, or remapping Windows keys to particular functions in your video game or Android emulator.
The footnote shows the dialog that macOS shows when macOS apps try this, but I'd also like to point out that the macOS equivalent does not receive keystrokes while a password field has focus.
This fits with the security model of Windows, and PCs in general. Processes from the same user can see and interact with each other, but not with those of another user. Users are expected not to run any process from shady vendors.
This might seem lightweight security in the age of too much internet where everyone runs anything, but it is what enables some kind of openness and control on those platforms, vs. the very controlled interfaces of smartphones.