That’s a funny thing to say. The communication channel between the browser and whatever external password store can be made as restricted as you like… keepassxc and its browser api let you restrict which credentials are offered to the browser, and can let you manually OK each request, for example. It doesn’t need unrestricted read access.
The bitwarden browser plugins are a bit more dubious though, because they communicate with a remote password store with more limited controls, and their enthusiasm for trying to store passkeys and totp hashes is definitely worth avoiding.
That’s a funny thing to say. The communication channel between the browser and whatever external password store can be made as restricted as you like… keepassxc and its browser api let you restrict which credentials are offered to the browser, and can let you manually OK each request, for example. It doesn’t need unrestricted read access.
The bitwarden browser plugins are a bit more dubious though, because they communicate with a remote password store with more limited controls, and their enthusiasm for trying to store passkeys and totp hashes is definitely worth avoiding.