I mean, is everything saved automatically in the browser? and to log back in only requires a passport, not most other wallet sites
which requests such a private key for him to access the wallet, but does not apply here
All your claimables, coins and such are saved client-side, in your
IndexedDB.
If you want to make a transfer, you need your seed, which is derived from your password + mnemonic phrase. Your mnemonic phrase is also stored client-side, however the password is - obviously - not.
So, someone who has access to your browser, given that the password has enough entropy, will not be able to spend your coins.
which requests such a private key for him to access the wallet, but does not apply here
As long as your password has sufficient entropy, I don't see the difference?