There really needs to be another standard class of vulnerability besides "physical access to the device" along the lines of "access to a copy of the on disk data". There are so many paths to this and some never required physical access or even an accidental exposure on the part of the user, it could be a breach of a provider (ala LastPass).