As concerning as the exploit is, Bitwarden's purported response is even more so; FTA:
> I've reported the issue to Bitwarden previously, however it was marked out of scope as it belongs to one of these categories:
>> Attacks requiring physical access to a user's device
> or
>> Scenarios that are extremely complex, difficult or unlikely when utilizing already compromised administrative accounts, self-hosted server, networks or physical devices which would render much easier and alternate means of compromising the data contained within Bitwarden
> This is however not entirely true: only the device-local encrypted vault data needs to be accessed. If accessing device-local data is outside of the threat model, why are we encrypting these data at all? We might as well store them in plain text.
> I've reported the issue to Bitwarden previously, however it was marked out of scope as it belongs to one of these categories:
>> Attacks requiring physical access to a user's device
> or
>> Scenarios that are extremely complex, difficult or unlikely when utilizing already compromised administrative accounts, self-hosted server, networks or physical devices which would render much easier and alternate means of compromising the data contained within Bitwarden
> This is however not entirely true: only the device-local encrypted vault data needs to be accessed. If accessing device-local data is outside of the threat model, why are we encrypting these data at all? We might as well store them in plain text.