Because there needs to be a baseline level of convenience in order to get less-technical people to even consider using a password manager at all.
If the alternative is using the same handful of weak passwords for every site, the risk of your password manager suffering a security breach doesn't look so bad in comparison.
There is a pretty large gap between "cloud based password storage" and "using the same password for each site".
1Password for /years/ worked with a local vault (and no remote sign-in requirement), and had relatively simple syncing to iOS via wifi (no idea on other OSes, that's what I use).
I've shared my password vault between these two places with no issues and it didn't need a cloud account and I wasn't re-using passwords.
That's literally the option though if you've managed to convince someone to use a password manager.
I convinced a family member and their response to the breach was "okay, who should I use instead? Or do I go back to using one password for everything?"
"okay, who should I use instead? Or do I go back to using one password for everything?"
Given that the "using one password for everything" is such a terrible idea that we can discount as probably worse than storing your passwords in a cloud-based vault then you land on what your family member has given you as the other option "what should I use instead".
Ultimately if* there are no password managers available that will do syncing of locally stored vaults, then there are actually multiple options here:
1. Accept that the convenience (of device sync) here trumps the security issue that storing passwords in a cloud based vault causes.
2. Should there be no options that allow for device sync /and/ local-only vaults then there is another option which is to not do automatic syncing.
Option 2. is somewhat inconvenient (how much depends on who you are and what you do), but it is still an option.
Personally, Option 1. is a line I'm not willing to cross. I see single repositories of 10s to 100s of thousands of peoples passwords as a "password piƱata", a massive target for attack and so I'd take the inconvenience over the compromise. That said I'm lucky to have a 1Password 7 still so do have local vaults and sync, but there's not a chance in hell I'm uploading this stuff to a central repo.
* Enpass might do what you want. It was a suggestion in the comment thread here.
The gpost contributed to the discussion i am having with my kids, namely: avoid cloud-based pw storage. They're beginning to understand why, finally.
We also discussed 'feeling better than others for arbitrary reasons '.
If the alternative is using the same handful of weak passwords for every site, the risk of your password manager suffering a security breach doesn't look so bad in comparison.