Hi @ben,
I am not familiar enough with the GDPR guidelines to say for sure. I looked into a bit, but the information I found on Encryption didn’t cover this type of vector, but I also may not be looking in the right place. If you have specific documentation sections to look at let me know.
Keep in mind that an attacker would not only need to access your computer, but they would need to login as your user on that computer. This is because the passphrase is kept in an encrypted container that is user-specific and requires the user to have a valid, logged-in session to make use of.
I actually wrote a post going into some of our Encryption details here: Encryption questions: Key storage, decryption process, and others
Keep in mind that we are working on our next version of Encryption, so we are taking a look at things in this area. For example, the ability to set expiration on the storage of the passphrase, and introducing the idea of “locking” files/folders, which would require additional measure to open.