@dh024 Yes, @Jmac is right: I can reproduce this for a desktop vault that has been PIN-locked after disabling the option Lock with master password on restart. In my case, I assumed the attacker was using a portable desktop installation – e.g., with D:\Bitwarden-Portable-2022.6.2.exe installed on a USB (D:). On the victim computer, navigate to %AppData%\Bitwarden and copy the data.json file to the USB at D:\bitwarden-appdata\data.json. If the computer is locked or powered off, use a recovery environment on a bootable USB to access the file. The copied vault can still be unlocked using the PIN, from any computer.
Thus, the attacker can take the USB to any other computer, and try to crack the PIN at their leisure. If doing this manually (by trying the obvious 1111, 1234, birthdates, etc.), you can get an unlimited number of unlock attempts simply by closing and restarting the app after each fourth attempt. There may be a hash stored in the data.json file that would make a more automated cracking attempt possible, but I have not explored this yet.
@rpaulson If you are worried about a memory attack, then you are going to be disappointed. Despite what is said in the Bitwarden documentation and whitepaper, whether the vault is unlocked, locked, or logged out, the actual master password is stored in unencrypted plaintext in memory until you shut down the app process completely!