SamuraiSafe resisted adopting password autofill of web pages within the web browser, as the implementations were often vulnerable to compromise. SamuraiSafe now adopts Apple’s AutoFill Credential Provider Extension interface which is built into iOS/iPadOS/macOS. It aims to avoid such vulnerabilities.

Importantly there is no auto in Autofill. User authentication and confirmation is always required. In addition, Apple goes to some lengths to ensure the websites or domain associated with an application are legitimate, although one can’t discount the possibility that these mechanisms may be circumvented in certain situations.

Some articles about things going wrong:

Security and Privacy often incur a tradeoff with convenience. Solutions are often complex and may not be correct or complete. By keeping things simple the risks of vulnerabilites is reduced.