Yeah, I agree with you. I'm joking that KeePassXC developers should make parsing .kdbx an optional feature (that's an attack surface by itself for sure!) and see whether Debian package maintainer enable it or not.