If you don’t enable the Firefox Sync feature, then the database is stored locally in your profile (logins.json) and it never leaves your computer. Each record in there looks like:
{"id":6,
"hostname":"https://www.example.com",
"httpRealm":null,
"formSubmitURL":"https://www.example.com",
"usernameField":"...",
"passwordField":"...",
"encryptedUsername":"....",
"encryptedPassword":"....",
"guid":"{00000000-1111-2222-3333-444444444444}",
"encType":1,
"timeCreated":1308628396205,
"timeLastUsed":1654022880149,
"timePasswordChanged":1343726148177,
"timesUsed":13},
The user names and passwords are encrypted. I don’t know where the key comes from, but appears to be locally-generated and different on each computer, since the encrypted strings are different on different computers, even after they have been sync’ed together.
If you configure a primary password for your passwords, then Firefox will not allow access to the contents without the password. Without this password, anyone running Firefox can go to the password manager (in the app) and view the contents.
I noticed that logins.json file does not change when a primary password is enabled, so I suspect that under the covers, the system creates a random encryption key and stores it somewhere in your profile, with the primary password encrypting that key. But I’m not sure.
If you enable Firefox Sync, then the data is end-to-end encrypted using a key derived from your Firefox account password. (So make sure that that one is particularly secure!) The encrypted database is stored on FF’s cloud server. Login credentials to that server are authentication tokens cryptographically derived from your account password - so they never receive your actual password and (they claim) it is impossible to derive the encryption key from the authentication token.
Anyone can configure Firefox to sync your passwords, but they would need your FF account password to download and decrypt the file. And if you have 2FA enabled on your FF account, they’ll also need that in order to initiate the download.
I assume the data encrypted by the sync service contains the plaintext user IDs and passwords, since the locally-stored versions seem to use different keys on different computers, even after they have been sync’ed.
As for an analysis of how secure this system is, I’ll leave that to others, but here are a bunch of articles that explain how they say it works, along with an audit report from 2017.
See also: