Whenever you login, the keychain is automatically unlocked, so that whenever processes want to use something in that keychain, you don't have to type in your password. This means that securityd stores the key to unlock the keychain in the heap, without encrypting it. This key is what unlocks the first layer of encryption on the keychain. The master key reveals the wrapping key. A hardcoded obfuscation key reveals the encrypted credential key. The wrapping key reveals the credential key. Then the credential key finally reveals the plaintext password.

This heap space is only accessible by root, of course, so this is not useful if you are trying to elevate your privileges. But it still makes you vulnerable.

I discovered all of this when I was trying to recover my keychain password, which I had completely forgotten. I had several old Wifi passwords and SSH passwords which I needed to remember, but I didn't have the password for the login keychain. Thank God for shoddy security..