[jbroman]

If you can run code with the same privileges as Chrome (under an authenticated user account), then on most desktop OSes, you can do whatever Chrome can do, including access the password store.

This may be a more convenient way to do so, but ultimately it's an attack that's rather hard to defend against under the usual desktop user-based access control model.

[3pt14159]

If the passwords are encrypted at rest via secure enclave then that isn't true[0] aside from other noisy attacks[1]. Yes local untrusted code is bad and a dedicated attacker attacking a specific target can probably escalate to stealing a full chrome cookies file, but that type of attack won't be worked into random malware floating around.

[0] https://security.stackexchange.com/a/170485/117977

[1] Code that shows, say, a false user login screen or exploits a previously unknown OS vuln to escalate privileges.