Like a lot of security researching blogs, this post doesn't have a good conclusion. This seems bad, and probably is bad, but there has to be details as to why it's bad, what is the danger, what is the threat model, etc.
Every app that runs on your systems with enough privilege could sniff your username and password and send it out.
That means also apps installed by a person who has access to your systems or malicious code that you, or someone who as access to your system, launched on your system. I'm not sure where it put 1Password in terms of safely storing password, but it is probably in the area of a post-it on your monitor.
I don't know what's your opinion, but if I use a password manager, I'm expecting something more
I don't see how the situation you describe is avoidable, while retaining the ability for a user to automatically fill form fields. That inherently means that the password will be unencrypted and stored for some time; what's the practical difference between sending it via loopback and any other method?