Yes, or go with their hosting, and the password manager design allows you to encrypt your data so even they can't get access to it.
Obviously this is quite the honeypot, so people will be trying to attack it in the general case. Browser bugs, JS bugs in extensions and such like are a risk.
If you want to be more paranoid (not a bad thing) you might need to do away with a password manager in the browser, and use an independent program like KeePass. More paranoid and you would run that program on it's own separate physical device.
There is a balance between security issues trusting someone else, and security issues rolling your own and screwing it up though.
For example is KeePass with password only less/more secure than LastPass with encryption key and password.
It shouldn't be a "and the design means that they can't access it" that should be the only behavior?
I agree with your other points
Assuming the LastPass encryption key is a separate token I would say LastPass wins, but that is solely assuming similar architecture, obviously you can make design decisions that mess up everything.