>the attack already assumes access to the workstation of the victim
I seldom can take "vulnerabilities" that require physical access seriously, because if a hostile is physically next to my computer I have more pressing concerns than some passwords.
Yes, it requires an attacker in a powerful position but it does not require physical access. Any program that runs in the user's session (without any special privileges) could have autonomously retrieved the biometric key and decrypted the vault without user interaction and without Bitwarden running.
The problem is that an unsophisticated user doesn't necessarily think like that, and could come to the conclusion that it is not a big deal to leave his workstation unlocked while going to fetch a coffee, after all, well... "I have a password manager, and to have access to it, it requires unlocking". Then some colleague calls them for an ongoing meeting so they can share some insight about some question that was raised in the meeting and so on.
A far-fetched scenario? yes. But if it can happen, it will happen.
That unsophisticated user is also likely to have a printed out list of passwords taped to their monitor, or an unprotected excel file labelled "Passwords".
To this day I don’t understand how “computer repair” shops are in business. When I was a shithead 16 year old I used to work at one. I found it amusing to see what files people deleted before giving us full physical access to their machines. I definitely saw things I shouldn’t have seen. It wasn’t until I saw something illegal that I freaked out and stopped doing it. I was so paranoid that I srm’ed my entire drive and theirs and never mentioned it to anybody. In retrospect I should have, but I was 16 and didn’t know what to do.
For most people (ie: not us), computers are just another household appliance in the same vein as televisions, washing machines, refrigerators, and air conditioners. If it breaks, you get it fixed by a technician or go and get a new replacement.
Yet they instinctively understand that they should delete certain files and prepare their computers for repair. We've had many who would walk in asking "hey, my computer is doing X is this fixable?" we would have no idea of course. We'd always ask can we see it, and they would say "I just don't wanna have to get it ready for repair if it wasn't possible"
This is why I totally understand when Apple or MS go overzealous with encryption or T2 or secure boot. Despite "people like us" complaining about it.
If you have machines that have users logged in, are unlocked when none of your users are working on them and that are in reach of a 3rd party you have bigger problems than this.
I seldom can take "vulnerabilities" that require physical access seriously, because if a hostile is physically next to my computer I have more pressing concerns than some passwords.