Re: A bit light on details
My understanding from the Dashlane blog post on the subject and also from Google's general stance on passwords is thus:
Your phone should be secured - it's arguable that if your device is stolen and the lockscreen security defeated - it's probably game over at that point, locked password manager or not.
The aim of the API is to encourage people who don't use password managers, to start using them - because far far far too many people are using the same username and password for everything, some might have 2 or 3 that they use - but the only way to get away from the risk of the seemingly daily onslaught of sites being hacked - is if it becomes a less valuable activity for hackers - so yes - they might break in and steal usernames and passwords of everyone, but if they are all unique logins for that site only and will not work anywhere else, then the value of the data plummets.
It's all well and good in theory, but there are 2 things holding back "normal" users, the first and major pain point is that they find the idea of a password manager inconvenient and in same cases confusing, this prevents them from embracing the idea of having a unique login for every site.
Not a lot is known about the API but I'd guess Google will probably go down the fingerprint / Biometrics route - possibly even trusted voice, and maybe trusted device.