If you want to keep using Firefox’s built-in sync, just make sure your phone is relatively recent, from a major brand, and has a good, strong password/PIN. You should double check this with the manufacturer or instructions, but the phone should be encrypted while off, and a few failed password entries should lock it and turn it off. It should generally be very difficult for a thief to break into a locked modern phone — they would generally need “state actor” (think intelligence service) level of resources in order to do so. You can also see if your phone supports remote wipe for added peace of mind.
Otherwise, if you don’t want your passwords to be protected only by your phone lock, then using a password manager that has its own built-in encryption would give you an additional layer of security — at the expense of having to type in another master password on top of your phone unlock.
Bitwarden is OK (I use it for work everyday) but 1password is a lot better, IMHO — it’s just easier to use. Either one encrypts your passwords with a separate master password, so even if someone steals your phone, your other passwords are useless without the master one.
In daily use, in practice, it means you would just need to enter the master password usually once a day (or whatever you set it to). Then the browser extension or mobile app would autofill passwords similar to how the built-in Firefox one would.
So TLDR:
- Use Firefox sync with a strong phone unlock, and check if your phone is encrypted when off and if it can be remotely wiped
- For stronger security, you can use a password manager with its own encryption. Both Bitwarden and 1password are good. I prefer 1password. Do NOT use Lastpass, which has had a LOT of security incidents.
Edit: Oh, and either one can easily import from Firefox. You have to delete not only the CSV but also the saved Firefox passwords in the cloud afterward. Both also support easy exports, so you can take your passwords (and also your 2FA and passkeys, if you choose to use them) with you elsewhere if you ever need to.
Edit 2: Sorry, just saw the “iPhone” mention specifically. If it’s from within the last few years, you should be fine with a strong PIN.