Yes, it requires an attacker in a powerful position but it does not require physical access. Any program that runs in the user's session (without any special privileges) could have autonomously retrieved the biometric key and decrypted the vault without user interaction and without Bitwarden running.
dist-epoch|2 years ago