I would agree, IMHO keepassXC should however actually lay out their review standards better to actually be able to review security relevant code. I am a happy keepassxc user on multiple devices. However, trying to use and extend it in various settings, I simply still do not understand their complete threat model, which makes it very difficult to understand the impact of many of extensions it provides: being it for quick unlocking or API connection to browsers that can be used for arbitrary clients.