couldn't they just load it up into PasswordMaker and start inputting Master Passwords using a dictionary attack?
First: dictionary attacks only work with poorly-chosen passwords. Don't choose a master password susceptible to this kind of attack. Second: how would the cracker automate the input of a million-word dictionary into PasswordMaker?
If the "passwordmaker.rdf" stores all the settings and someone steals it,
Why did you let him steal it? Why isn't your network and/or physical access to your PC secure? Why didn't you encrypt the file using OS-level encryption, as discussed in the
faq?
couldn't they just try Master Passwords until it generated one that works?
You're assuming all people store usernames in the passwordmaker.rdf. Not all people do. How are you going to get usernames? A password is no good without a username.
If someone holds my mother at gunpoint, tells me he'll kill her if I don't reveal my Gmail username and password, aren't I vulnerable?