Do keep in mind that the default is just that, a default. One can override the match detection for each URL on the vault entry itself.
Even with my default match detection set to “base domain”, I can set both vault.bitwarden.com and community.bitwarden.com to “host” match detection (as below, on the vault entries themselves). The result is that whenever I go to one of those sites, I do not see the other set of credentials.
For this pair of sites, this is primarily a convenience. But, as the recent clickjacking vulnerability shows, “host” also prevents your goodguy.googlesites.com credential from being auto-filled onto badguy.googlesites.com. The lesson from this this vulnerability is that the more conservative approach is setting your default to “Host” and then overriding with “base domain” only for those credentials that that need it, such as within your own company if they use Windows Authentication for internal websites.