If the password journal my mom left at my house while visiting is any indication: absolutely not.
Use a password manager, remember a 2nd password for your email yourself, and then use a second factor for as many things as possible. USB keys are best, but anything is better than nothing: SMS, Authy, Google Authenticator, phone call, whatever. Chrome and Safari both have password managers these days, and some Chromebooks even have a builtin second factor. 2FA is still a hassle for sure, but it's getting better all the time.
People like to dunk on the password journal but I find it hard to believe that someone is going to break in to your mom's house as the way to access her bank or facebook account.
It's a horrible idea to leave the password for the database sitting next to the admin's workstation. But physical access is a vastly different concern for a corporation than an individual.
Threat surfaces are different for different people. I'd _love_ if my parents kept a separate password notebook instead of an unlocked note on their phone.
2FA is obviously good but different. But a notebook is an entirely offline password manager and it immediately lets people do one of the most important things which is not repeat passwords.
Self hosted, on-prem, 2FA (something you have and somewhere you are). If your handwriting's bad enough you're almost pushing into some kind of biometric lock.
The password journal is probably the safest providing the passwords themselves are strong. The likelihood of someone compromising your mom's passwords online are an order of magnitude greater than someone breaking into her house and copying her journal.
And my answer, as someone who doesn't work for a password company but is into this sort of thing, is "Yes, I believe one can be." -- or more precisely, "When you do it yourself, as opposed to a no-real-liability password company, you can get a better read on what the issues are."
Consider a classic "grandma" solution. A little notebook with good passwords kept in the purse or wallet. The issues here are more knowable than with LastPass or whatever.
In all seriousness though, the two main benefits of password managers are they only autofill on the correct domain and they’ll suggest actually good passwords.
I don't particularly see why Bitwarden would be any better at defending against this kind of attack, unless you're talking about self-hosting (and I would trust a hosted service more than a non-technical person self-hosting in this case).
And even if you run self-hosted, you're still needing to either audit every line of the web vault (and changes made each time it's updated), or the browser extensions or client applications.
Self hosting can help insulate you from a server side bulk compromise (with adequate security measures in place yourself which, as you say, not everyone will do), but it won't deal with the more pervasive software supply chain issues of compromised development environments etc.
Use a password manager, remember a 2nd password for your email yourself, and then use a second factor for as many things as possible. USB keys are best, but anything is better than nothing: SMS, Authy, Google Authenticator, phone call, whatever. Chrome and Safari both have password managers these days, and some Chromebooks even have a builtin second factor. 2FA is still a hassle for sure, but it's getting better all the time.