[3pt14159]

If the passwords are encrypted at rest via secure enclave then that isn't true[0] aside from other noisy attacks[1]. Yes local untrusted code is bad and a dedicated attacker attacking a specific target can probably escalate to stealing a full chrome cookies file, but that type of attack won't be worked into random malware floating around.

[0] https://security.stackexchange.com/a/170485/117977

[1] Code that shows, say, a false user login screen or exploits a previously unknown OS vuln to escalate privileges.