isn't it at risk of any code pathway that somehow allows you exceed a buffer and read memory unbounded? Then a nefarious web page could capture that? That's a huge exposure surface.

I'm pretty sure a read exploit in a web page wouldn't be in the same process as the passwords.

If you can cross over to the main Edge process, you can probably get it to remove any encryption it applied itself.