You are correct but in my use-case I have my browser remember the passwords and use a standalone password manager for storing credentials that I infrequently access. An exploit compromising the browser would next have to compromise the password manager's encrypted database.

Admittedly this is not perfect, but I am comfortable with the level of security it provides. I think it is also roughly comparable to users who have a 2FA app on their mobile and a password manager syncing to the same device.