Too Long; Didn't Read
Most functions that generate randomness are not considered cryptographically secure. That means that an attacker can take a good guess at what number a non-secure randomness generator generated. Strong pseudo-randomness (or entropy) generators are not guessable by an attacker. A software-only system like Qvault can at best generate strong pseudo random data because we are working on deterministic systems. If you need a random number within a range of 0-9, then use non-biased function that uses crypto.randombytes() as the source of entropy.