I posted this research by ISE, referenced in an article in WaPo that summarized as follows:

It found the Windows 10 apps for 1Password, Dashlane, KeePass, LastPass and RoboForm left some passwords exposed in a computer’s memory when the apps were in “locked” mode. To a hacker with access to the PC, passwords that should have been hidden were no more secure than a text file on your computer desktop.

Could you elaborate on which passwords were not hidden in locked mode? By your wording I assume that it's not all of them.

Is there any such research done for browser extensions and macOS?

I use KeePass (currently version 2.40). The author does claim to use "in-memory protection" of secrets while the program is running, but apparently it is not thorough enough. However I would need to have malware running on my machine (or give physical access) to exfiltrate the in-memory passwords right?

Correct. Also if a malware is running it can do better then just steal your manager's password. So I'd say you're OK with only that "bug".