Each time Bitwarden is unlocked with the master password, the full database is exposed to any malicious software running on the PC.
To reduce this type of attacks, I would propose that “Master password” unlocks partially the database to get access of name, login and URL of vaults entries (with integrity protection to detect phishing site)
Then, each time, a credential (password, passkey, OTP) is exposed outside of the vault to fill an authentication form, a second action is required to fully unlock the vault item : either with a PIN or security key push button, or NFC contact.
To get a trusted vault, each IN/OUT operation must be validated or “signed” by manual acknowledge. I think it could reduce credentials leak … (more secure than timeout inactivity expiration for the entire vault)
Thanks in advance for the discussion on this topic