Not 100% sure, but with the new chrome app, the inactivity timeout loggout doesn't seem to work.
I have it set to default 10 minutes and it never logs me off, whereas before I had to relogin all the time.
Yeah it definitely doesn't log off after inactivity.
Also, after typing in the secondary password to make a transaction, it will never prompt again till next session.
Because of these two factors, a user's chrome app wallet left minimized and computer left unattended, all coins can be subject to theft.
IMO, the secondary password should function like a PIN, and needs to be entered for each transaction. The secondary password should only expose the private keys to the system just for signing the transaction.