So how vulnerable is loopback on a machine in general? This is almost certainly not a best practice, but I can't help but wonder how practically exploitable this is.
You need superuser privileges to sniff the loopback. Which means if you're in a position to exploit this, you could just sniff the keyboard, or do any number of other malicious things instead.
If I already pwn your machine I can learn your passwords while they are moving. So - it will require a special target for the exploit to be worthwhile - lets say North Korean general that uses the same password for pornhub and nuclear launch. That is protected by 1password.
This is a complete non-issue.