Since I am trying to master qrexec and make split-everything-socketable, I found it relatively easy to make a split-KeepassXC-browser configuration, where multiple browser instances in different Qubes may access a single KeepassXC backend. Are there any objections why it would not be recommended and I should stick to copying all the passwords manually (ugh)? I can disable it for most “dangerous” qubes anyway I also wonder if locking/unlocking the password database can be controlled via socket so I can lock it from the client qube as a security pre-caution.
Typically, my approach is to keep some “common” service passwords in KeepassXC, while more sensitive, project-specific passwords reside in specific VMs built-in password managers (like FF without sync or Chromium bound to a separate Google account with advanced protection turned on). Is there any space for improvement? Can you share how you do it?