I think a big part of this is understanding what you are protecting, and who you are protecting that from.
If you are logged in to your device, most info is lying on your SSD to any app running as your user.
Most web browsers (not looked at Sonoma Safari private tabs yet) store a JSON or PLIST file that sets out all the current tabs, their URL etc. That's how they resume previous sessions and reload your tabs. The history database is also generally available as a file, listing all visited URLs. Anything/anyone that can access your logged in session can see that. The notional security boundary on a Mac device is the system lock screen (and the trusted boot chain, secure enclave and FileVault help to enforce the system lock screen).
If you are trying to protect information from the currently logged-in user, that will be fairly difficult, as presumably someone logged in knows your user password or has an enrolled Touch ID credential (which means they can unlock and access keychain credentials). Or you have walked off and left the device logged in (which is a different issue).
Unless it's clear what the goal is though, it's likely someone could get around this in a second or two. That's not to say there's not good reasons to look at protecting browser data (e.g. https://orionfeedback.org/d/4809-encrypt-sensitive-local-data-in-the-orion-applicationsupport-folder-with-a-keychain-based-credential), but for something like a master password or "app locker", I presume this means some credential to open Orion, that would realistically mean encrypting browser state and unlocking it with the user keychain via Touch ID. At least that's the most "sane" way.
Many "app lockers" are theatre to impress the user with a prompt, but can be trivially bypassed (if they are implemented by the app itself). Hence the importance of understanding the exact goal here. Who/what is this feature to protect against? (For private tabs, where no record is stored on SSD, there might be a viable way to do this, which is what I guess Safari is doing - not storing tab state to SSD, and using a system authenticator to unlock the existing window. Not insurpassable, but fairly secure as long as an attacker can't do TouchID auth as the user.)