If passwords are fetched remotely on-demand, you steal the account API key from memory.
If they're encrypted, you steal the master password or decryption key.
... So what's your solution?
I think it’s more about layers of defense being always better than relying on a single point of failure.
IIRC those bugs could only steal data, not do remote execution. If you did not store even the encrypted passwords in memory, getting the password/key to them compromised would still keep you safe, or at least upgrade it to a timing attack.