@juliank There's an API but it isn't exposed in a way that anyone could query something from it without user knowing about it. Plus it only works locally and is not exposed to outside world. Is these one of the features that are insecure in your opinion?
@varjolintu I understand there are some access controls, but they can be buggy. A bug in the browser extension IPC access control could reveal your entire database to your browser.
If you don't have the means to query the database from other processes the entire attack vector goes away.
i.e. keepassxc-light or whatnot could only ever have critical CVEs if it messed up the database encryption.