> * I emphatically DO NOT UNDERSTAND the extent to which people place trust in external services to manage passwords.*
I'm generally fine with this if the password vault is end-to-end encrypted, the vault's password is never shared with the server, and the server doesn't have access to the plaintext passwords at all.
At that point you have to trust that the crypto used for the vault is done correctly (and that trust is easier to come by if the clients are open source). But that's the same trust you'd have to extend if you used another solution (e.g. Bitwarden) that allowed you to self-host the sync service.
If you only access password-protected resources from one system, then you don't need sync at all, and this problem goes away. If you do need sync, you're going to have this problem no matter what.
I'm generally fine with this if the password vault is end-to-end encrypted, the vault's password is never shared with the server, and the server doesn't have access to the plaintext passwords at all.
At that point you have to trust that the crypto used for the vault is done correctly (and that trust is easier to come by if the clients are open source). But that's the same trust you'd have to extend if you used another solution (e.g. Bitwarden) that allowed you to self-host the sync service.
If you only access password-protected resources from one system, then you don't need sync at all, and this problem goes away. If you do need sync, you're going to have this problem no matter what.