@m0ll3art, you are mixing things up.
“Unlocking” is the offline action that is done on the client side after data has been downloaded. This can not really require 2FA in any way.
“Logging in” is the online action that downloads the encrypted store locally. This can already require 2FA if it is enabled.
Introducing automatic logout and removal of local store copy would not really solve many problems because at the end of the day it all comes down to trust that your live system and server is not compromised.
If your computer is owned, they get all of the credentials by waiting for you to unlock the database once, even if you use 2FA. Current password stores protect you in case you loose your laptop or something like that.
If server gets owned - attacker can wait for you to log in and get the credentials for the store. (KeePass password stores in DropBox are potentially more secure because Dropbox password can differ from the KeePass password. With Bitwarden they are the same.)
Then of course there are also organization credentials which have to be shared and thus key to them has to be stored on the server as well. So in this case attacker wouldn’t even have to wait for user to log in.
And believing that locking the database removes master password from memory everywhere is just a wishful thinking. In reality it is stored in multiple places, most of them out of reach by the developer of the software, especially in case of browser based tools like Bitwarden is.
Here is a nice article about it: https://www.securityevaluators.com/casestudies/password-manager-hacking/ They didn’t test Bitwarden but it is probably in an even worse position due to being built using web tools.
Windows, Linux, macOS, iOS, Android and major browsers usually get serious vulnerabilities discovered multiple times a year. The ones seen in wild get patched quite fast though. So far we haven’t seen many global campaigns that use these vulnerabilities in very advanced way and the last major ones were probably the extorting crypto viruses. But if an advanced actor targets you or your organization specifically, you probably won’t be able to successfully defend against it and the current generation of password managers won’t be sufficient.
For serious things if you want better security, use hardware backed credential stores and hardware 2FA like Yubikey (but even those can’t be 100% trusted). You can store limited TOTP entries on it and you can never get the seed out of it, only the calculated value. Hopefully in time Apple and others will improve their hardware and SDK to allow storing more kinds of secrets in their secure element but currently I don’t think they are mature enough.
So don’t store the most mission critical data and TOTP seeds in Bitwarden and you should be good enough.