This seahorse tool looks useful, thanks for hint!
From what I see in seahorse, the keyring is unlocked. I can lock it explicitly via seahorse, and the next time I run Brave, browser asks the user’s password to unlock it. Looks like Brave has no problem with handling the locked keyring.
Regarding suspicious records in Keychain - there are multiple records; seems that every Chromium-based browser creates them. So I have items like “Brave Safe Storage”, “Chrome Safe Storage Control” and “Chromium Safe Storage”.
The “Chrome Safe Storage Control” is interesting one. It has a description:
Because of quirks in the gnome libsecret API, Chrome needs to store a dummy entry to guarantee that this keyring was properly unlocked. More details at http://crbug.com/660005.
I’m not sure which browser created this record - Brave, Vivaldi (I have it too) or Chrome (I uninstalled it), but it looks related to the problem with keyring. The discussion by the links suggests that:
Under certain conditions, gnome libsecret methods that perform a lookup
in keyring may ignore a locked keyring and return empty results, instead
of unlocking said keyring
and it looks like a legit cause I think. Libsecret returns an empty value → Brave cannot use it to decrypt the synced data. I wonder if creation a similar record like “Brave Safe Storage Control” could fix this…