It runs locally, and if the attacker has that much access, in most scenarios there isn't anything stopping your adversary from just logging your keystrokes and curling the keystore to a remote server.

Yes and no. In a language like C++ you might have more control on encrypting and zeroing out sensitive memory.

no how else would we get your passwords?