Firefox Sync is unacceptable for password — or any other private data — storage. This is a pity, since the old protocol was very suitable.
It wasn't, because I've managed to lose my history with it. I very much prefer my history to be synchronized to a server I cannot lose.
> you download the browser once
That's not true. Modern browsers are set to upgrade automatically in the background, without notifying the user.
If you're paranoid, you can self-host your own Sync server, but then if you don't trust the vendor of your browser, then you've got bigger problems and I hope you're compiling your own binaries.
My browser isn't; I use the Debian Firefox package and update it on my schedule.
> If you're paranoid, you can self-host your own Sync server
Only if you host it locally; if you host it at a VPS/dedicated-system provider then you're trusting that provider never to break into your system.
It's bad social hygiene to develop systems which are breakable.
The problem with that is that if the auth server is on a machine you don't have complete control over (e.g. one hosted by a dedicated-system or VPS provider) then you are trusting that provider to never break into your machine; you are also trusting that machine never to be broken into via some remote exploit.
That's far too much trust for a system hosting sensitive data like passwords. The only secure thing is to deploy a system with as little trust as possible.
The great thing about the self-hosted sync server is, the storage and auth components are separated, and the storage one just stores encrypted blobs.