True, if an attacker has control of your device you are probably screwed anyway, but there are still different degrees of screwed. There are more and less privileged portions of your system, and keeping sensitive data to less secure areas is still not a great idea. With browsers offering clipboard access as a JavaScript API, it is definitely an area I would consider less well secured than, say, read protected memory or a process-isolated browser extension sandbox.
Fair point, but I don't think you can _read_ the contents of the system clipboard, can you? I thought you could set it but had to wait for a paste event to read it.
On iOS and Mac the clipboard is readable to all apps without interaction. (Eg slack allows login on Mac desktop by copy/pasting text from the browser. Chrome on iOS will auto paste from clipboard to show a target url)
Both of you're statements are valid. If an attacker has access to your device you are *severely* compromised and you can't do much. I am going off the idea that your password manager clears your clipboard history however, but this is a valid and true statement. The thing is: nothing will be 100% secure. Ever. But if we evolve our security at the same rate loopholes, etc are being found, we can prevent data breaches, identity theft, etc. Before it even happens.
I guess my feeling is that doing something like this when your machine is already compromised is a little like putting your key under the welcome mat instead of leaving it plainly visible. Perhaps for the very incurious attacker they won't get around it but it's not much effort to find.