It sounds like you really haven't explored how to use Keychain access -- including some of its most basic features like ACL configuration and multiple keychains.
1) Relocking the keychain can be done through the menu bar, if you enable the keychain menu item. You don't have to open Keychain access. When I let someone else sit down at my account for a moment, I lock the keychain. This is not a very difficult "workflow". This same menu gives you a "lock screen" item.
2) If you want to unlock and lock things with finer granularity, you can put those things in different keychains. For example, put your mail password in its own keychain. When you unlock that keychain, nothing else gets unlocked.
3) If you want to make it so new applications require typing in your password before accessing a password (rather than just confirming with a yes/no dialog box) you can check the box in the password ACLs. It's a bit of a bummer that there's no global setting for this.
I think we have to weigh this against all the other bad things that someone could do when given access to your account. If the keychain containing your email password is unlocked it's basically game over, since there's so much damage they could do with your email account, and it doesn't even require getting the password.
1) Relocking the keychain can be done through the menu bar, if you enable the keychain menu item. You don't have to open Keychain access. When I let someone else sit down at my account for a moment, I lock the keychain. This is not a very difficult "workflow". This same menu gives you a "lock screen" item.
2) If you want to unlock and lock things with finer granularity, you can put those things in different keychains. For example, put your mail password in its own keychain. When you unlock that keychain, nothing else gets unlocked.
3) If you want to make it so new applications require typing in your password before accessing a password (rather than just confirming with a yes/no dialog box) you can check the box in the password ACLs. It's a bit of a bummer that there's no global setting for this.
I think we have to weigh this against all the other bad things that someone could do when given access to your account. If the keychain containing your email password is unlocked it's basically game over, since there's so much damage they could do with your email account, and it doesn't even require getting the password.