1. You can access the passwords if you know the PIN.
2. All state is local.
All you need to do is guess the PIN and restore state, and repeat. Any code in Bitwarden to prevent (obscure) you from doing this is just a cat and mouse game.
Perhaps a way around this is to not have all state local. Have the PIN + separate authenticating private key go to their server. You get 3 attempts before you need the full password.
1. You can access the passwords if you know the PIN.
2. All state is local.
All you need to do is guess the PIN and restore state, and repeat. Any code in Bitwarden to prevent (obscure) you from doing this is just a cat and mouse game.
Perhaps a way around this is to not have all state local. Have the PIN + separate authenticating private key go to their server. You get 3 attempts before you need the full password.