For password managers specifically, one thing you can do to be a little less reliant to the "password manager app was compromised" attack is to pepper the passwords in your password managers. So every time you paste/auto-fill a password from your manager, to you delete a bunch of characters and add a bunch of characters. Of course this requires some memorization and to some extent introduces back the very problem that password managers attempt to solve. Then you tune your pepper algorithm as much as you like: even sharing the same pepper algorithm for everything is not that bad, since it would require an attacker not only to compromise your PM but also know one of your stored passwords. And you can give yourself tips on your pepper using the comments/notes section of the password manager.
If you only care about convenience, you shouldn't be self-hosting - what if your server goes down? Much better to abstract this away and let someone else take care of it.
If you only care about security, you don't want anyone else's prying eyes anywhere near your recursively-encrypted secrets; self-host on a server that is airgapped from any publicly accessible networks.
Even if I give up convenience for security, I may not be a seasoned DevOps guy like the one who is payed good salary to do that 24x7. So it turns out that self-hosting is not for everybody. Small mistakes in configuration can lead to entire infra getting compromised.
