In that case, I’ll back up and try to answer your specific question about Ionic.
Ionic isn’t going to make this any harder than it would be with any other technology that bundles web applications into mobile apps, and it might make aspects of it a bit easier. I would recommend looking at https://github.com/mibrito707/cordova-plugin-secure-storage-echo, because it is what lies underneath ionic-native secure storage. The data at rest encryption is at the mercy of the runtime environment. That plugin leverages the Keychain (iOS) and KeyStore (Android) features to handle:
Because of the way the cordova bridge works, those values are going to come across as strings, so I think you’re at the mercy of the v8 garbage collector and/or the OS virtual memory system as far as trying to guarantee:
As for this bit, which you referenced in OP:
I think it would be feasible (although a bit tedious) to write a replacement for an ordinary
<input> control that writes a password to a typed array character by character. Anything using Cordova or Capacitor is going to be limited again by the www/native bridge passing only strings.
Hopefully that is of some use.