you have to encrypt the keys
the db is stored as a regular file - i was able to read the private key with notepad from outside the browser
Yes i agree, this is still in development. Also its targeted for mobile devices which have a more sandboxed environment, but still given the nature I agree.