How the device-binding, offline grace, and remote wipe actually work.
Every vault key is sealed inside your device's TPM — a dedicated security chip — and is non-exportable, so it can never leave that machine. Copy the vault files (or even the sealed key blob) to another computer and they're useless. Your real data lives in git or wherever you cloned it from, so moving to a new device just means re-activating and re-cloning.