The attack vector is an autofill function on a compromised website that has attackers javascript running either injected in a webpage or on a subdomain hosting user content. Since autofill will never fill passwords from another domain, others won’t be at risk. But why bother with clickjacking at that point, you could just have your malicious script read the password values silently once the user enters it, password manager or not. That’s not a password manager problem, that’s the problem of the vulnerable website.
The one which is actually dangerous that shared all password for all domains actually had a bug bounty awarded to the guy and is now fixed, good for him on finding that. The rest is really a non issue , I wouldn’t worry that much.
Though credit card details and personal user info autofill might be problematic since those are not site-bound. I would either disable those or just not store them in the password manager.
The usual trick is hdparm I guess? For me with a 8 disk raidz2 pool I found that playing a movie from that might put it to sleep between reads, because the longest timeout is a bit short. I’ve been using hd-idle with a 30 minuten timeout because of that for quite a few years already which has worked quite nice for me.
The only issue I’ve run into is that smart data reads count as activity, so make sure that any smart data software has a long timeout between reads and is configured to not wake disks.