For unlocking a vault via Fingerprint (as well as storing WebDAV credentials), Cryptomator uses the built-in Keystore. Cryptomator generates an encryption key by using KeyGenerator with the requirement of user authentication. With this configuration, the key is only accessible by authenticating the user against the system using fingerprint or the system password and above of all, only for this application. Android is handling access to the key. Using the key without authenticating the user, the operating system will decline the access.
In summary, Cryptomator uses the recommended Keystore and Fingerprint handling by Android. It depends on you if you trust the Fingerprint service in Android. If you have security concerns, continue using the password mode.