The problem is these password managers are lucrative targets, especially being able to gain access to a person's financial accounts. Simply disregarding the issue and categorizing it as "Attacks requiring physical access to a user's device" isn't good enough. Yes, there's only so much Bitwarden can do from the software side of things, without hardware support to back it up. But Bitwarden should still do what it can to mitigate such attacks, such as significantly increasing the number of PBKDF2 iterations for PINs (at least stored on disk; a key could be cached in RAM with fewer iterations because RAM is far less likely to be compromised than files on disk), and discouraging (or even preventing) users from using short PINs that could be quickly brute forced.
BW is/has switched to Argon2 over PBKDF2, fwiw. Although Argon2 trades the iterations field for an allocated amount of memory, so time will tell if there isn’t a “BW accounts with 16MB of argon2 allocation are no longer considered secure”.
