My jaw is on the floor…I just noticed that anyone can simply open Brave preferences, go to “manage passwords”, and copy ANY password from the list with a single click. That password can be used to access any account that Brave has ever managed, and can be pasted as visible text into a document to reveal the password characters. There is no master password required to access this complete list of every password with every login name for every website Brave has managed. Anyone who takes custody of my computer can simply use Brave to copy, reveal, and use every single password! Simply using Brave makes us vulnerable to catastrophic identity theft and fraud if anyone simply opens Preferences and is allowed to enter the password management option without any security whatsoever.
Just to be sure it really is as bad as I suspected, I used iClipboard to watch in real time as each password I clicked became “live” unconcealed text in RAM.
FWIW, I found previous bug reports on exactly this issue going back to 2017, which means this hasn’t been addressed at all, leaving Brave users wide open.