I've noticed that a great deal of secure websites will disable autofill in their username and password fields on purpose. For ages I've had a Chrome extension installed that disabled autofill=off to get around exactly that, and I believe I'll leave it enabled. I know better than to trust plain password auth anyway, and mostly use the feature to remember one-time passwords to things like forum sites that have the ridiculous policy of hiding plain URLs to non-registered users. (I will never understand what a forum gains by having a large number of users in their database who registered once to download that one attachment, then never came back again.)
Regardless of the intent, I think when you try to make decisions on behalf of your users, you're doing them a disservice. I mean, really, the security risk of autofill on password fields is that the user's passwords are now saved on their computer? I think users who need to utilize this feature and have it denied them will just end up typing the password into a word document named "Passwords.docx," and that's a heck of a lot less secure than Chrome's encrypted password store. Not that Chrome's implementation couldn't be better, but still.
Why use a Word document? I put all my security passwords—especially the ones that won't autoflll or that make me change them often—into a Google Docs spreadsheet online. That way I can get to my passwords from anywhere.
Regardless of the intent, I think when you try to make decisions on behalf of your users, you're doing them a disservice. I mean, really, the security risk of autofill on password fields is that the user's passwords are now saved on their computer? I think users who need to utilize this feature and have it denied them will just end up typing the password into a word document named "Passwords.docx," and that's a heck of a lot less secure than Chrome's encrypted password store. Not that Chrome's implementation couldn't be better, but still.