The KeePassXC kerfuffle

The biggest reason 99% of people will have data compromised is not some advanced supply chain attack. It is phishing and password reuse.

The only good defense against the former is binding authentication credentials to domains. That is, security keys, which most people will not bother with, and password managers that look up the credentials based on the browser domain. The keepassxc browser extension is essential in defending against these very common attacks. It is almost guaranteed that people will, out of habit, copy and paste their password into places they should not have as a result of this.

The only good defense against the latter is passwordless auth, which nothing supports and, more importantly a password manager you actually use. Luckily, password managers are mostly actually a better experience than remembering passwords. You just hit "generate password" on the password field, hit "save login" and the next time you come back the credentials will just be there for you. But that compelling experience only exists with proper integration with the browser. Without it, the friction meant that I frequently just used my old bad passwords.

I do appreciate the thought of reducing the attack surface. But you really have to be careful that you don't end up exposing people to real, common, everyday risks by trying to protect them from hyothetical, rare and esoteric ones.