That's why I hang onto 1Password - at least on macOS and Safari, the browser extension just calls the native client - the actual UI (where you enter your master password and then select which credential to auto-fill) is managed by a separate process. The worst a compromised browser can do is prompt the UI to display and provide a suggested domain to pre-select.
Unfortunately I believe that’s Safari-only and even then they seem to be aiming to move away from it - all non-Safari extensions are a “fat” client called 1Password X where the entire logic (and thus the sensitive data) is within the browser.
Interesting. Something that is off putting regarding lastpass is the complete lack of a native client, it strikes me as pure laziness & complacency. Maybe lastpass does in fact run natively, outside of the broswer, but requiring a web browser is ridiculous. I'm aware there's a native app for windows, but it's horrific.
Unfortunately I believe that’s Safari-only and even then they seem to be aiming to move away from it - all non-Safari extensions are a “fat” client called 1Password X where the entire logic (and thus the sensitive data) is within the browser.