This is a specific threat model where the attacker can watch live file changes undetected. This may be acceptable e.g. for a laptop without historical archives of the file.
Good point and good to be aware of. Still, it requires dedicated physical access and specialized physical equipment, right?
I think that at least for the foreseeable decade or so, there are only a handful individuals globally for whom this would be a practical vector rather than a purely theoretical one.
It'd be interesting to see if it can be practical to improve in regards to that