P04 - Controlled access to vault data

Clients must ensure that vault data, whether at rest or in use, is accessible only to authorized parties and always under the user's explicit control. Even when unlocked, access to vault data must be carefully restricted to specific contexts, such as autofill or explicit user actions. Isolation mechanisms must be employed, particularly in environments prone to unauthorized access—such as browsers—to prevent exposure to third parties without the user's consent.