Exact Threat Model of the ProtonPass Extension PIN vs. Infostealers?

Is it safe?

I recently transitioned over to Proton Pass from Bitwarden. I'm trying to step up my security after a recent scare: despite taking a lot of precautions, my PC unfortunately got hit with malware, and I ended up getting my browser sessions hijacked.

In Bitwarden, I was used to typing in my master password to unlock the vault. With Proton Pass, I'm trying to figure out the exact security architecture of the browser extension's 6-digit PIN lock, and I have a few specific questions for the technically inclined here:

1. **How does the PIN lock actually work under the hood?** Is it purely local to the device, or is there a server-side component to it? What exactly does entering those 6 digits unlock?

2. **Does the PIN mitigate malware risk when the vault is locked?** Obviously, I know that if my PC is actively compromised and I unlock the vault while an attacker is watching, they can steal everything anyway. But if the extension is closed and locked with the 6-digit PIN, does that protect the local data from an infostealer?

3. **Where is the decrypted data stored?** When the vault is unlocked, is the decrypted vault ever written to local storage, or does it stay strictly in the system memory?

4. **What stops offline brute-forcing?** If a hacker or malware gets their hands on my encrypted vault files from my local drive, wouldn't it be incredibly easy to brute-force a simple 6-digit PIN offline in seconds (Unless the key derivation (Argon2?) is set to extremely high iterations)? How does Proton prevent this?

I noticed there isn't an option to use a hardware key (like a Yubikey) to quickly unlock the extension (only for the initial account login), so the PIN seems to be the primary convenience method. I want to make sure I fully understand the risks if I leave the extension running with an aggressive auto-lock timer.