The KCM allows user to authorize and trust (or revoke trust) Thunderbolt 3 devices.
This is done by communicating with the Bolt daemon via DBus (through libkbolt).
The KDED module listens for new unauthorized devices and shows a
notification with a button to authorize when such device is connected.
See https://mail.kde.org/pipermail/plasma-devel/2019-February/093482.html for details and a link to a video.