It's because the OSK is just another program as far as Android is concerned. It can't directly look into the application, per Android specifications, but it CAN record key presses, even for passwords. It even receives context hints based on the metadata on the input box, so it knows when you're putting in a password. Then it can send your data off to unknown servers.