As long as you generate your passphrases properly (i.e. making sure they still have high entropy and don't fall into the same pitfalls I listed, in case someone still decides to brute force your password as a passphrase), you can have a very secure passphrase. However, as far as sheer entropy goes, passwords have more entropy in a more compact space and are better in that respect.
P.S. Some applications have a character limit, meaning you'll get more entropy out of a password than a passphrase. You might accidentally get weak entropy in a passphrase because of the character limit.
The reality is the password guesser has a string of 29 characters.
Actually, not even that. It would be hashed as a fixed length (256 bits usually).
Again, most of what I was saying was just for the sake of an example to show that under the right circumstances the length of a password doesn't dictate its security. Even if it's an extreme, security is only as strong as its weakest link. I'm not denying that it can be unrealistic, and I'm not saying it's insecure (hence the "grain of salt" section that addressed all of your points), I'm just showing how it could be possible.
they don’t even know they’re trying to guess words in the first place.
That is true, but the math is still the same regardless.
Suppose you had a word list of 1,000 five letter words. Each of your passphrases is 5 words long. That means you have 1,000^5 possible combinations of passwords, which is an entropy of ~49.8 bits. Even though each passphrase is going to be 29 characters long (5 five letter words plus 4 spaces in between), the password wasn't generated character by character.
By contrast, suppose you used all 95 characters on the (US) keyboard, an 8 character password has 95^8 combinations, which is an entropy of ~52.6 bits. Even though the passphrase has 21 more characters than the password, the password still has more entropy.
Big grain of salt here: You can get a huge word list and remember much longer passphrases easily, but the point is to show that the number of characters doesn't dictate the security of a password. If someone were to brute force a passphrase character-by-character, it would hold up very well, but a) Not many people use passphrases and b) It's far more common to use password dictionaries than to brute force.
P.S. If someone found your word list, they could probabilistically brute force your passwords. For example, if 75% of your five letter words started with the letter S, they could deduce that most of the words likely start with S, and they've already eliminated a few characters to brute force.
That is a really interesting method! Thanks for sharing, I've learned something new. A way to solve the stakeholders unlocking it would be to also require the admin's own credentials plus 2 (or however many) stakeholder credentials to unlock it. However, that could cause stakeholders to target the admin.
While this may not be what you're looking for, it's worth mentioning that a good ol' pencil and paper does wonders. It won't have everything you need, but you can time how long you ran for with a stopwatch, count how many pushups you do, manually measure your pulse, etc. If you're good with data processing you can stick the data in a spreadsheet and process it to see your progress. The bonus is you'll learn a lot more about health through doing it yourself. Besides that, I've never used a smart watch or fitness tracker. I've just exercised until I get tired.
Most passwords can be converted to passphrases to help you remember them. A password "8pmfvt3bww7t" could be remembered as "8 pandas might find vases that 3 bears will wash 7 times." Obviously not all passwords will work for this, but it's a good way to remember random strings. Passphrases are long in characters but have an entropy dependent on how long your wordlist is. For example, 3 words might be 20 characters, but it's easy to guess 3 words since you're not going character by character.
If you completely lose your password to your vault there is nothing you can do, simple as that. Don’t lose it.
Unfortunately, as mentioned in the post, there are some ways to lose access to your password that are out of your control. Furthermore, the more places you store your password the less secure it is. It would be a lot easier to be able to authenticate with multiple authentication methods individually, than to rely on having access to all of them at once. That's the problem I'm trying to address here.
Cloud-based sync is incredibly easy with self-hosted cloud, as pointed out by the KeePassXC FAQ. Self-hosted cloud is effectively a local solution.
It is still subject to the issues listed in the 3-2-1 rule, however the goal of self hosting itself conflicts with that rule (since the rule dictates the use of off-site cloud storage). I will note, it does somewhat solve the issue of keeping database backups, as any device pulling from the local cloud server effectively becomes a backup of your database.