I don’t do this, but I think they do it because it’s a measure against:
- Forgetfulness.
Example: if you forget 1 word of your ~25 character passphrase, you can still log into Proton Pass on Android or iOS using a fingerprint authentication, and refresh your memory.
The security of a vault isn’t degraded when one puts the keys inside. You have to assume the vault is compromised in that scenario. At that point it doesn’t matter if the keys are inside.
When I think about it like this, it makes sense to me, but I don’t know if you agree. To me, there is no in-between: it’s either compromised or it isn’t.