I wish people would stop boosting this. It's a complete non-story.

There are two different policies that browsers have:

• Load passwords once, decrypt them, have them in memory.
• Load passwords on demand, decrypt them, and have them in memory.

In both approaches, the passwords are encrypted on disk, the key for decrypting them is in memory. An attacker who has the ability to dump memory to get the passwords in the first approach also has the ability to dump memory and get the decryption key in the latter approach. There is no threat model that the second approach depends on that the first does not.