Thanks again for your help.
Sometimes I just have tomatoes on the eyes.

At first I thought that CredProtect was applied to the entire PCREDENTIAL, but at some point I found out that it was only applied to the CredentialBlob from the few examples that could be found on the internet.
The way I see it, you could also apply it to the attributes, but in the main data it's enough for me for now.

Now I will probably introduce a class-var for CREDENTIAL.Persist to be able to control when writing whether it should be saved locally or in the Windows-Domain. At the moment, local is enough for us here.