You can use it to do actions on the Keybase site by typing in your decryption password. Attack vectors: Keybase site code gets replaced with something malicious, now they have your key password and decrypted private key.
You can also do everything on the command line without trusting Keybase's server or their frontend JS.
Another problem: if their storage or a backup is compromised, the attackers can brute-force passwords offline without rate-limiting.
In some ways that's worse than actively trojaning their JavaScript since there's no possible way for the target to know that's happened whereas the fronted at least has the low but non-zero chance of someone noticing the malicious code.
You can also do everything on the command line without trusting Keybase's server or their frontend JS.