I'm not sure if they fixed it, but in the past any process that was running in your user account or admin on your PC could dump the plaintext of this trivially, for many years.
Reply to @jeffbee: You basically have to have that threat model, because ordinary users are running dozens of untrustworthy processes on their machines. Real world security has to assume the user is not a security expert.
A process running as my user or admin on my PC can also just inject input events to transfer money out of my bank account. You cannot have a useful threat model that models yourself as a threat.
The one where you can just launch chrome and click the eyeball icon to see what the password is? Or does chrome have something fancier I am not aware of?
