[Nextgrid]

I don't particularly see why Bitwarden would be any better at defending against this kind of attack, unless you're talking about self-hosting (and I would trust a hosted service more than a non-technical person self-hosting in this case).

[g_p]

And even if you run self-hosted, you're still needing to either audit every line of the web vault (and changes made each time it's updated), or the browser extensions or client applications.

Self hosting can help insulate you from a server side bulk compromise (with adequate security measures in place yourself which, as you say, not everyone will do), but it won't deal with the more pervasive software supply chain issues of compromised development environments etc.