Thanks @Saoiray for your excellent explanation. I don’t have much to add, but I want to restate some of the points you have made.
There are two separate things here:
- Backing up your crypto wallet and storing the paper copy of the key in a safe place.
- Keeping your local passwords safe even when using Brave Sync.
The first point is is to protect against the loss of your funds, should your computer go missing or break down, etc. Of course, this copy of the key must be kept secret because it allows anybody to have access to your fund.
The Sync code is not a backup and it’s not designed to help in case you lose access to your computer. Instead, it’s to make it possible to share your bookmarks and passwords across all of your devices without making them visible to Brave (they are end-to-end encrypted).
In both cases, the crypto wallet or the passwords saved in Brave, you need to make sure that your computer is secured. If someone has access to your computer (for example, it’s left logged in and unlocked without a screen saver password), then anybody could come in and view your passwords inside the browser. Similarly, that person using your computer without your permission could install software to copy the relevant files to a USB stick and then steal your data/funds later. Or, as you point out, they could steal your Sync QR code and sync your data to their computer later.
Brave cannot effectively protect against all of these attacks because in order for the password manager to work and fill-in your passwords for you, it needs to have the passwords available somewhere in memory. Some users make use of third-party password managers which require the use of a master password each time a password is filled in. That helps protect the passwords to some extent, but if someone else can use your computer without your permission, they could also install a key logger, or steal your session cookies. At the end of the day, users need to take steps to secure their computers against what is usually called “physical” attacks (someone physically using your computer). Full-disk encryption and screen saver passwords are highly recommended. Logging out and shutting down your computer when not in use are also good habits.
We do take our users’ security seriously and that’s why we want to be careful not to give users a false sense of security. Hiding the Sync key in the user interface for example, would hide the fact that it’s still available in memory because the browser needs it to keep syncing with other devices.
I hope this helps.