They don't have to break the vault encryption. They just have to gain access to 1pwd's git and push out a compromised update. And then watch the passwords roll in automatically.
Yes exactly that's what I'm worried about, I'd say if that happened it would be targeted and the chance of me being targeted is small but I also don't want to ever leave myself open to such a thing (also because I've lived in autocratic countries, I don't automatically think all governments are trustworthy).