Just my opinion here; I don't know the history of this feature in the project:
The attack which DPAPI defends against is "someone has taken the hard drive out of your computer and dumped a copy of it" (it's not a defence against processes running on the computer for the reasons other people have explained here). It's not as good a defence as full disk encryption, and there's some performance impact to using it to store data (having to call into the OS to ask it to encrypt/decrypt things is never going to be free). Using this for all data would probably mean considering that performance impact carefully, and whether paying that cost is worth the security benefit to users who don't use full disk encryption - but that benefit is very small, because there's a ton of other data on a computer that doesn't use full disk encryption which is probably just as sensitive as their web browser cache, and so users who are really concerned about this definitely should use FDE instead of expecting all the software they use to encrypt things separately. However, the password store is used infrequently and updated even less frequently, so the performance impact isn't really a problem, so encrypting the password store isn't such a bad tradeoff.
Many *users* consider their stored passwords to be specifically important (even if they aren't aware that their saved cookies are almost as big a security risk), and so not encrypting them causes a lot of (probably misplaced) concern in those users - encrypting them makes those users at least feel a bit better, I guess? So, you could probably say that encrypting the password store is at least partly security theatre. The past concern by users about passwords being directly viewable in the browser (which was addressed in many cases by requiring the sync password) is similar - the users here are probably worrying about the wrong problem, but if a fairly straightforward step helps them feel better and has few downsides then it might be worth considering.