It’s a small potential risk, yes
The Original Keepass was a Windows C# program. It has since been reimplemented numerous times, some versions even themselves got forked - like KeepassX and KeepassXC. It doesn’t really matter which fork you consider official. The important thing between all of them is just the common database format.
Exactly. It’s offline so it ain’t going to leak nothing to noone and as long as it can read/write keepass database in the format that other forks can read I don’t really care that much about the particular fork I’m using.
I carry it with me all the time in my backpack. I do have however backups of everything on it should it get lost or stolen to be able to restore everything on another device.
My permanently offline android phone
You don’t really have to do this. It’s amazing what virtualization software can do these days. You can passthrough your whole GPU to the guest OS and you’ll have like 99% native performance. You just need a decent enough CPU with vt-d support, that’s all, modern high end cpu should all have it. But if you’re not gaming and don’t need 4k, even without the relatively complicated GPU passthrough, the stuff just works amazingly fast, it’s totally possible to work all from within virtual machines these days. I have one VM for porn, one for banking, one for cryptocurrencies, a couple for web surfing, I can pop a new one by cloning a template to test out a random software download or build whenever I want, takes a just a few moments…
You have to trust someone in the end who packages and builds your software for you and I choose to trust the biggest player there is out there. It’s also got much more polished than it used to be in recent years, for me it’s even better than Ubuntu - recent Ubuntu releases crash way too much on my machine. It also works perfectly as a rolling release with Debian Testing unlike Ubuntu which you have to reinstall every f’ing time