Plenty of home users disable the screenlock password to <cr> or qwerty.
Come to that I have known senior managers who should know better have their password on a postit attached to the side of their screen!
One of the cleverer recent scams involved stealing both and setting up a new phone to be the master by using the OTP that flashes up on some mobiles by default if the bank's preamble isn't long enough to hide it.
Once they have done that they can look up your bank card PIN using the app on the newly registered phone. You & Yours did a piece on it recently. There was another good one today too criminals putting fake QR codes over the ones on carparks, pub tables and EV charger points that redirect to a look alike site and steal your credentials.
The browser password store should be reasonably hard encrypted. Keyboard sniffing by malware is much more of a risk (although again there are tools to mitigate against that possibility).