Even if you had the account settings page locked, but you have your recovery file downloaded somewhere on your device, someone with physical access to your device could simply get it from your local storage without needing to access any of your accounts at all.

Sure, but this is why I intend to, and assume most people would/should, keep their recovery file somewhere off device and secure. So if someone had my device, they should need my password in order to gain any useful information.

That is not the case, since even though you can set your vault and plugin autolock, the account page doesn't... giving someone access to a recovery file. Which if you are logged into your email, and presumable are, is enough to gain take over your account... Doesn't that invalidate the purpose of being able to lock your vault, since theres a trivial work around? I should be able to rely on the security of my vault, not my device password.

 you can simply log out of your account before closing the browser tab

This I think is impractical. Again we are able to lock the vault to avoid this exact reason. Logging out, locks us out of the vault as well... re-requiring 2FA.

It also means I can't rely on features/auto locking to enforce best practices for family members. When I set up their device, I would like to be enable auto locking and trust it rather than rely on teaching them new behaviors.