I am a happy keepassxc user but I have criticized the authors on multiple occasions for not investing in a clear documentation of an attacker model. It seems to me a lot of bogus security is added here and there and this non-CVE is the result, because people demand more of that.