[ykonstant]

Regarding this, I think I am doing something stupid: I am syncing my keepassxc database with syncthing, and I am also using a keyfile. The keyfile, I copy manually from my computer to my other devices. But when it comes to my phone/tablet, I copy the key to some random location in the android filesystem, say DCIM. Is that... like... ok? Or is it something any app has access to and people now have my key potentially?

[_Algernon_]

Android is a lot more sandboxed than desktop OSes, where you already have this situation: All software that runs can access your keyfile (hypothetically). I wouldn't be to worried. They still need access to you kdbx file, your password, and know that your keyfile is a keyfile.

Seems like a low risk unless your threat model includes nation state which performs a targeted attack against you.