Yes, the email verification code is required only when a user has logged in without a master password.
To me, what would make most sense is a requirement to re-authenticate (using master password, device, passkey, etc.).
But with the current system, is is the user’s responsibility to ensure that the vault is locked when not in use, to prevent access by unauthorized individuals.