What can attacker do having only masterkey.cryptomator and no recovery key or password? Is it dangerous?
And why changing password from weak to strong won’t increase security without creating new vault? What prevents to change key automatically in background?
Can you explain as I am 5?
nothing and no. See here: Why is the masterkey stored in the cloud?
see here: What happens exactly when I change password of a vault?
and here: Password and Recovery Key | Cryptomator Documentation
Imagine having a 2 TB Vault and you want to change the password (not make it stronger, just change it). This would mean to download, decrypt, re-encrypt and upload 2 TB of data.