(short on time, so here’s an overview to answer part of the question)

All password managers that are worth their salt (cryptography pun intended) have to anchor their trust to something, be it the OS’s secret-storing APIs or a piece of hardware like a TPM (typically built into your machine’s motherboard), an HSM (eg Yubikey) device, or an external source of authentication outright (eg a smart card, akin to what the USA Military does). Without any sort of trust anchor, a password manager is little else than a random program that happens to invoke a few cryptographic algorithms. It would be almost trivial for a malicious actor to use a bog-standard debugger like GDB to read the program’s memory and steal the secrets, either after it has been conveniently decrypted by the program or by spying on the program while it performs the cryptographic algorithms.

Since a password manager runs within an OS, meaning that you already have to trust that your OS isn’t an NSA backdoor, it makes sense to rely on the OS for storage of secrets. What the password manager does is provide the frontend for adding/updating secrets from the OS’s store, while also making sure to authenticate the user prior to allowing access to the store of secrets. Once again, this is where hardware modules can come into play, but it can also be done using a main password. That is, you need to unlock the password manager before the secrets it contains are available for use.

Rather conveniently, the OS can also provide this authentication functionality: if you have already successfully logged into the computer, then that’s a form of authentication. The most basic-but-reasonably-secure password manager would use two APIs to offload the difficulty tasks to the OS: the authentication API and the secrets API. That’s the absolute bare minimum.

What Firefox’s password manager provides, by default, is exactly that. But you can choose to upgrade to a Firefox-specific main password, so that if you forget to lock the computer, someone can’t just open Firefox and use your secrets. This is one step above the minimum for a reasonably secure password manager, but it comes with the inconvenience of having to unlock the password manager every time you want to use a secret.

By and large, all password managers make these types of tradeoffs between convenience and additional layers of protection against certain threats. If your machine is inside the vault of Fort Knox and is actively guarded by people with machine guns and a keycard bullet proof door, then Firefox password manager is plenty acceptable.

Whereas a shared home computer in a situation where the disclosure of the secrets would cause a grave problem – eg if an irate person finds that their spouse has a login for the local family court’s online website, which might suggest a forthcoming divorce proceeding – this might make sense to add additional layers. Indeed, some password managers can provide a decoy set of secrets, as a way of forming plausible deniability. If your situation needs plausible deniability, then Firefox’s built-in password manager might not fit the bill.

I want to stress that using any password manager at all is already a massive improvement in security posture, and that any additional features and frills are merely refinements. Some folks are in situations where they cannot accept the possibility of off-device secrets synchronization, which would rule out Firefox password manager. But if you don’t have such requirements, and if you can trust your OS, then you can also trust Firefox to store and manage secrets.