Hello and welcome to the community!
There are generally 3 states: logged out, locked, and open.
When you first log in successfully, you are in the open state, where your encrypted vault is downloaded and persisted on the machine where it is encrypted at all time, and your unencrypted vault and encryption key are in memory. This is where you can autofill and change the content of your vault.
When you set the timeout to lock and you have reached the end of the timeout period, or when you explicitly lock, you are in a locked state. You data on disk remains encrypted; your vault in memory and your encryption key are also encrypted. If you try to autofill or access the vault, BW will ask you to unlock your vault. BW considers this state to be safe, i.e. everything is encrypted. For PC, you should not disable requiring password on restart for PIN/biometrics unlock, because it makes your encrypted vault more vulnerable (unless you can accept the risk).
When you are logged out, your vaults/encryption keys are purged from memory and persistent storage. If you try to autofill or access the vault, BW will ask you to log in.
If you don’t set up PIN/biometrics unlock, sometimes it hard to differentiate between a locked/logged out state, because BW will ask you for a password to unlock or log in. So, you can try setting up unlock by PIN, requiring password on restart, and try this to see the 3 different states more clearly.
; TLDR; in a locked state, all your secrets are encrypted everywhere. Requiring password on restart will keep the encryption strong.