pull down to refresh

keyloggers
Very true, and I assume everything is keylogged... and that the NSA has enough Bitcoin so it's better for them not to sweep ours.
But if your keystrokes are exfiltrated, so to would your keyfile under such assumptions. Even if it's stored separately, it's read in the same place.
My point was that it's an extension of the key in all but the rarest circumstances.
Nesting would be an interesting option for the truly paranoid. Ex: A passphrase protected keypass file that, contains yet another keypass file, that is itself keyfile protected for use on a separate airgapped system... that should at least be a moderate inconvenience to a backdoor attacker.