Sure. I was just summarizing the community’s reaction when Ambiso’s claims first made the rounds of the online (in)security publications, back in March. To help you in your assessment of Brinkmann’s article for gHacks, I would point out that nowhere does he disclose that unlocking by PIN only becomes a vulnerability if the user deliberately disables the “Lock with master password on restart” safeguard (which is enabled by default), nor do his “Recommendations” at the end of the article include the obvious solution of re-enabling the option to “Lock with master password on restart” (or to not touch the default setting when enabling a PIN).
This is inaccurate. It is the symmetric encryption key that gets encrypted using a stretched key derived (using the account’s KDF settings) from the PIN; the vault itself remains encrypted using the original symmetric key.
As I responded originally, I have limited knowledge of the biometrics implementation, as I do not use this option myself.
There was some relevant discussion about biometrics security in a recent update to one of your other threads:
To your final question:
No, the local vault cache is always encrypted. However, when you select the option to Never lock, the symmetric encryption key itself is saved (unencrypted) in persistent storage on your device. As explained in @Quexten’s comment linked above, the symmetric encryption key is stored in the Windows keystore API, and available to anyone or any process logged in to your device as you.