johnny totally get the security concerns with the master key. What about keeping the main vault as-is with master key encryption, but add a secondary vault just for client-facing credentials. Each client gets their own derived encryption key from their credentials.
Basically take the existing credential sharing view and make it 'permanent' for clients. Tech marks a credential with a "client-accessible" tag or toggle which triggers a copy to client vault encrypted with their key so that when a client logs in, clicks credentials, sees their list, clicks one and gets that same read-only popup view.
No master key exposure, compromising one client doesn't affect others, and techs control what goes in the client vault.