In recent years we've also had browser-exploitable vulnerabilities that allowed reading arbitrary memory as a regular user, but slowly or without full control over the locations. I think wiping credentials as soon as possible after use is a very sensible precaution, even if it's only a moat.
I wonder about those kinds of exploits that sit on a webpage, but what stops someone from injecting their payload on a sites login page? JS can grab the password in plaintext in such a scenario, at which point the password manager does not save you. Can we normalize Passkey more?
I think the point is that you can have arbitrary website read the browser’s memory so example.com can read the password for example.org and example.net.
Or the computer's memory via Meltdown and Spectre-like attacks
That's why I disable JS by default with UBlock Origin. And OFC never allow JS to acces your clipbaord.
It's surprisingly hard to do the compiler or cpu may see a write without a read and optimize it away. Windows has a SecureZeroMemory and a few other barrier primitives but not all languages reach to it