The security breach that matters for the purposes of this discussion would be a breach of Bitwarden’s servers. Bitwarden had 100,000 registered users in 2018, so assuming 50% annual growth since then, a successful heist would net approximately 500,000 encrypted vaults.
These would then have to be cracked, whether by brute force, social engineering, or spear phishing. Those vaults whose owners have set master passwords that are weak or re-used will be the first to fall, but even those will require some effort to crack. Because of the time and effort needed to find a poorly guarded vault, including the time and effort to go through the cracking process (which is only semi-automated), I believe that once a master password has been successfully cracked, special attention will be paid to extracting maximum value from the breached vault. That is why I don’t think it would be any significant effort to brute-force a 2-4 digit code compared to the effort that was required to get in to the vault in the first place.
I think that your idea of a locally stored pepper would potentially be useful for protecting against master password leaks (by shoulder surfing, inadvertent disclosure, etc.), but I don’t think it would be very helpful for protecting against a breach of Bitwarden’s servers. The concept of a secret key or keyfile (as used by 1Password and KeePass) would be a more effective prophylactic against a server breach.
Of course, the best protection is a strong master password.