Right, I guess my concern was a brute force attack on a DB file if it fell into the wrong hands. I looked at the main website again though, and apparently the official Windows app has some protection against this. It says however, KeypassX (and I assume therefore KeypassXC) does not have the same level of protection.
Another comment mentioned using a key-file, so maybe I will revisit that approach, since I used password only when I started.
To prevent brute force attack, you should choose long enough password and adjust iterations parameter on Key transformation. Basically more iterations = more time to brute force, but your application will spend more time opening the database. Longer password = less likely for brute force to succeed.
For me 12 characters password with default 60 000 iterations seems safe enough. My estimation is that it would take at least millions of dollars to break it and my passwords are not worthy of that. You can easily make it into unbreakable for a foreseeable future by using something like 16-characters random password and 10 millions of iterations.
Key file of enough length is like an unbreakable password. But you probably can't remember it, so be careful not to lose it. My database is accessible on public URL which I remember and I remember my password, so I can always download it anywhere and open it. I think that it's a big advantage and I wouldn't want to lose it.
When I decided to start using a password manager, I was drawn to Keypass since it is open source and I don't have to rely on any third party service. But learning how to use it correctly, and juggle your db files among all your devices requires a sound, thought out strategy!
Another comment mentioned using a key-file, so maybe I will revisit that approach, since I used password only when I started.