Hi David,
So is it a Security Risk to enable the feature for the entire database
Yes, although it is difficult to quantify the severity of that risk because the exact risk depends upon how each person uses their browser and password database. I have not had time to enumerate a full list of risks but the one that comes to mind is a scenario where you are tricked into saving a password for a website which contains malicious code as part of the form fields that you save into the database.
When you then revisit that same website, different malicious code could extract the contents of any data that is filled by Kee. With placeholders disabled, this data is limited to the data that the website presented to you in the first place (so there is no risk) but if the website has included a placeholder which drags in content from elsewhere in your database, this could then be revealed to the malicious website. I’m not sure if there is even any way that this extraction via placeholders can be achieved without specific knowledge of the target database but I wouldn’t want to say for sure without much more research.
If you are confident that you will not be tricked into saving passwords that you did not need to, and if you trust that new websites you save passwords for are not malicious (or compromised with malware that specifically targets KeePass databases) then there isn’t really any risk.
By ensuring that newly created entries have placeholders disabled, this raises the bar even further so that any malicious website would also have to trick you into reconfiguring the newly created KeePass entry to enable placeholders before this type of attack can succeed. You can never say never, but this would appear to be unlikely enough that there will be easier routes for an attacker to trick someone into revealing secrets.