The login names and passwords in my FF files are encrypted.

That's excellent, I'm really glad to know that. That is by default, right?

But tell me, how can, in example, Chromium import all usernames and passwords from Firefox and be able to use them? Is there some other application/package in our computers doing some kind of decoding action that allows this?
And/or nevertheless Chromium can import that data, it is still encrypted and only I (the user) can see it and the application (Chromium) can not?

I have a bit of trouble understanding this because I have the idea that if I can see passwords in one application, so does the application can see them. I believe there is always a way for the application to access the passwords, even if there is not that purpose. I have the idea that, among all these password leaks that we've been having in thousands of websites, that some of those websites had secure connections and mentioned that they could not access our passwords; but nevertheless the passwords were somehow still leaked to the hackers.

I just installed Chromium and imported my FF data, even though I made sure that the "passwords" option was selected, none of mine were imported into Chromium.

I don't know about other browsers, but in Firefox the master password is not very secure. If you search for 'firefox master password security' you'll find information.
I've read somewhere Firefox is (finally) working on that issue.
How secure the encryption in other browsers is, I don't know.

I use a third party encryption tool like KeepassXC to encrypt all my passwords. But for the most part unless someone gets physical access to your computer they are pretty safe.

@claydoh is there a probability that you have a master key in Firefox or are using something like Firejail in Chromium? Or that you had Firefox open (running) while you were importing the passwords into Chromium? I imported easily all my (many) passwords from Firefox into Chromium in the regular "Import data from another browser" option.
I just tried it again using a clean profile and in less than 5 seconds all my Firefox passwords were available in Chromium.

--

@Goeroeboeroe I made that search and the first article I read, dated from March this year, states this:

So... wow... Can it be that simple that, for stealing someone's passwords from Firefox (and probably from every other browser) an application with bad intentions only has to search for those two files (or equivalent in other browsers), which can be easily made because every application can access our home folder, and send them to the attackers?

No, and no. It actually prompted me to close firefox before it could proceed to import.
I still need to enter passwords in chromium since I did this yesterday. Bone stock chromium 68.something, and bone stock firefox with zero customizations on either. I mainly use Chrome proper as it is a work requirement for one of my jobs.

@claydoh try importing again by checking only passwords and nothing else, that's how I just did it and it worked.

---

About this that I wrote previously after the mentioned article:
Is it really true that an application only has to to get the files logins.json and key3.db (less then 100 kb in files) to get all our passwords?

No idea.
But, if this were the case than any application anywhere on any os can read every browser-stored password not locked by a password if so desired.
I imagine there is some process or something we are missing here but likely there is nothing to be done unless one uses a master password or third party password manager. Again, I have no idea, and it must not be a huge issue as it seems OS independent.

If I recall correctly in Windows 10 I was prompt with entering the Windows password if I wanted to see Chrome's passwords. I cannot confirm this since I do not use Windows.

For what I've been searching, Chrome and Chromium use KWallet in Kubuntu for storing the passwords. I do not know if our passwords are safe or not using KWallet without a master password set, I understand nothing about this.

Speaking about Firefox, I cannot find anything that states different then that alarming statement I quoted. I find it very troubling because no one (generally speaking due to the residual value that does) uses a master password in the browser nor even knows what that is or that it exists.
So basically that seems like it, if an application with bad intentions decides to look for the files logins.json and key3.db in our home folder and send them to an attacker, they will easily have our passwords. Exceptions made to the small percentage of the users that have set a master password or have a third party password manager.

I don't know about other browsers, but in Firefox the master password seems to have weak encryption.
But it's not as bad as you describe it. All passwords are stored with encryption, even if you don't use a master password. But if somebody has access to your computer, they can use (and read) the passwords. With a master password there's an extra level of protection.
So even if some rogue program can steal your logins.json and key3.db, it's not stored in plain text. They still have to decrypt it.
(If somebody I don't trust had access to my computer, that alone would be a reason for me to change all my passwords. If they had long enough time to copy etc.)

You wrote before that every application can access your home folder and send files to an attacker. Luckily that's absolutely not true.
I'm no security expert at all, but I'm absolutely sure that no application can send anything from your home folder, or from any folder, without you giving permission. (Except for bugs of course in the operating system.)
So an attacker has to find a bug or something like that to sneaky upload your files and has to decrypt them. It's far easier to find passwords via phishing or something like that.
If it was as easy as you describe it, every password on earth would have been stolen long ago. (And I would be a multi-billionaire.)
Firefox (and possibly other browsers) should strengthen their master password, but it's not as bad as you describe it.

I make sites. If I try to change the url with JavaScript, that's only possible within the same domain. It's simply impossible to change an url secretly to some other domain. If I want to test that JavaScript, I even can't do it on my local machine, because the stubborn little bastard refuses to use another url than starting with something like file://home. I have to test it on the domain I want to use that script. (Or at least: not on my local machine.)
HTML gives the possibility to upload files. But it's impossible to do that without a very explicit agreement from the user.
If every application could send files from your home folder, newspapers would only write about compromising pictures from famous people, every mail from Donald Trump would be on the open, etc., etc. In reality that only happens when something is hacked, with phishing, etc.

I am really glad to know that, I thought it was an android-ish kind of situation in which an app can access the data in our device. You know, that unfortunately regular situation when you install a flashlight app and it requires access to read and write the contents in the internal storage and in the sd card, start at boot... We all know the drill.

About this you mention:
In example when Firefox crashes I'm prompted to send a crash report to Mozilla, which I presume includes some data. I assume it includes some data about the computer and maybe some file that is on the computer, probably some log file generated by Firefox.
It does indeed ask for my permission to send the data, but it does not require any type of authentication and it's just a click away. So isn't this a process of an application being able to send files from our home folder since a malicious application wouldn't prompt any screen requiring a click and would just send it right away?

I'm sorry for all this bother but I'd really like to clarify this process so I can be at ease. Meanwhile I've already set master passwords in my pc either for Firefox and for KWallet.

I don't know exactly how Firefox generates that report. But that's not a file from your home folder. In it are things like a memory dump from Firefox, what extensions you use, etc. But it's not something that's read from your disk. It's possible that the configuration is send too, but that's a settings file Firefox itself uses. (If you type 'about:config' in a new tab you can see those settings. But take care not to change anything if you don't know what it means.)
Every browsers sends data anyway, like if JavaScript is enabled, what kind of movies you can play, etc. If the browser doesn't send that kind of information, it's impossible to see sites etc.
If you're interested in that kind of stuff: http://browserspy.dk/gecko.php gives a very long list of what the browser sends. Actually it sends so much information it's possible to identify your browser (almost) unique. There's a test on https://firstpartysimulator.net/ that shows if your browser has an (almost) unique fingerprint.

One more thing about sending files. Every browsers keeps a list of visited sites (unless you disable that). That list is an ordinary file with links (in Firefox it is, I guess in other browsers that's the same). Not encrypted, just an ordinary file. The sites you visited is really usable information for ads etc., so a lot of companies are interested in that. But that list can't be uploaded. For example Google has to do all kind of difficult and expensive thing to keep track what sites you visited.
A few years ago somebody found out you could see what sites somebody had visited with a little bit of css and JavaScript. (Not every site on internet, because they had to compare it with a list of sites. So not more than a few thousand sites, because otherwise the list would be too long.) All browsers repaired that leak pretty fast.
So even a not encrypted file with links of visited sites that's really interesting for ads can't be uploaded.

Thank you very much for the explanation and all.

Yes the infamous browser fingerprint, there's even a recent question if, according to the recent approved EU laws, if that is not infringing the laws of privacy.
On that site you mentioned my browser was identified as unique so I could be using a vpn and whatever to maintain my privacy but I would still be identified.

My dumbdumb logic is still bumping on my head, for some reason I think that if an application can access and read files inside folders (in example the image application can access image files anywhere in the home folder, the music application can access music files everywhere in the home folder and so on), and some applications can send information to other non-local machines (in example internet browsers, KDE's Discover and Filezilla alike apps), putting this features together in a script I do not see how sending files from a Linux machine wouldn't be possible. Probably I'm missing some kind of procedure on the operating system that does not allow it, but as I said right from the start I can just be being fouled by my ignorance.
But enough about this since you already explained it to me and I thank you very much for that knowledge.

I also just got very frustrated and annoyed after searching online for "decrypting key3.db", there are a lot of ways available to the public to extract the key in a few seconds (from a Firefox browser with no master password set) so that the usernames and passwords in the file logins.json can be read.
So I really hope that these files cannot be accessed because for sure any attacker will be able to extract it.