You make it sound like that stance is elitist, but it's the opposite: it's our knowledge of how easy it is to get the level of "Defcon Attendee" that motivates us not to implement cosmetic security features.
But it's not. Not THAT easy. I'm a developer, with a fair bit of experience, and I'm nowhere near the average defcon attendee. (Unless I'm badly overestimating their abilities).
My mom? She asked a shop owner, two days ago, 'do you have a, uh, online thing? You know, with the pictures?'
And yet, "Mom, experiment: type 'chrome://settings/passwords' in my browser and see how many passwords you can steal in 60 seconds".
You are badly overestimating their abilities, for instance by assuming that the typical Defcon attendee can code. We're talking past each other. Just take my word for it that bypassing the proposed "master password" is even easier than I've managed to make it sound.
My mom? She asked a shop owner, two days ago, 'do you have a, uh, online thing? You know, with the pictures?'
And yet, "Mom, experiment: type 'chrome://settings/passwords' in my browser and see how many passwords you can steal in 60 seconds".