I have Proton Pass on both my Android phone and my Linux laptop, but because of the security defects of Linux, I don't want to give the same levels of trust to both platforms. I would like a way for one trusted device to be able to enforce limitations in what other devices can access, such as allowing one-time access to use passkeys (ideally doing the actual cryptography only on the trusted client), one-time access to pull a certain password, or permanent access to specific credentials.

Currently, to accomplish something like this, I use one paid account (on Android) and one free account (on Proton Pass for Linux) with a shared "Low Stakes" vault, but this is hacky and violates TOS.