For me, the critical aspect is that the clients (like 1Password itself) don't trust the central password vault. Everything is encrypted on the client with keys that the central store doesn't have: https://teams.1password.com/security/