Okay, I see. My misconception was that I assumed the user password had to be stored somewhere, when in reality, it is itself the key for decrypting the seed. D'oh.
In other words, someone gaining physical access to my (Electrum) files will gain no additional benefit over trying to brute force the user password directly.
An attacker needs the seed. If you are using a password their options are:
If they have physical access to your stuff:
- Read the piece of paper you probably have your seed words on
If they can run things on your computer (malware):
- Read the seed out of your computers RAM when you type in your password
- Read the electrum files off your drive and read your password when you type it
- Read the electrum files off your drive and brute force your password