Proton Pass currently follows a browser-trust security model: once the browser session is unlocked, autofill is allowed without additional user authentication.

For users who keep their browser open for long periods or occasionally share devices, this effectively means the password manager is also unlocked. The existing PIN protects access to the Proton Pass UI, but does not gate
autofill itself, so credentials can still be filled without explicit authentication.

I would like to suggest offering an optional vault-style security model, where autofill requires explicit user authentication (password or biometrics), and optionally auto-locks after inactivity independent of browser state.

This would significantly improve security for shared-device and security-focused workflows, while remaining optional for users who prefer frictionless autofill.