If you have untrusted code running on your computer, especially with admin privilege, then it's already game over no matter what you do. Any kind of stored secret can be extracted, and any kind of typed in secret can be keylogged.

This was definitely true a decade ago, but secure elements in processors have opened up all sorts of options. Unfortunately, taking advantage of those is one place where mobile operating systems are far ahead of desktops.

Mobile OS security works by clamping down hard on what the local user can do, by severely restricting your freedom on what you can do with your device, to the point where you can't even access most of the device's file system. It works under the assumption and reality that 99% of users out there don't have root access on their phone. At the other side of the spectrum we have PC where we have full freedom to do what we want with just a "sudo" or "run as admin" away but that comes with a price.

I know in Chrome on Windows, I am asked for my Windows login password if I want to view any saved passwords. Really hope that's not just a "UI" feature, and those passwords really are encrypted.

>Really hope that's not just a "UI" feature, and those passwords really are encrypted.

It's definitely a ui feature. If you want to extract the password all you have to do is visit the login page, open the developer console, and type $("input[type=password]").value

I meant more at rest. I think even if you use an extension like LastPass with a policy that the user can't see the password, it's still going to show up in developer tools under the POST.