1Password is making choices for the business at the cost of security. Sucking people's password vaults into their cloud is very not cool. Additionally removing the local vault only option is another business first decision.
It's only a matter of time before 1Password has a real security problem because the business forces at 1Password appear to be much stronger than the engineering forces.
1Password is E2E encrypted no with decryption/encryption happening only at the edge? If the cloud storage is compromised, that doesn't mean the attacker can read the passwords?
It's a march of small concessions and after 5 years of marching you find yourself very far away from where you thought you were. "We only collect things that don't matter to you, trust us."
That means that that shareholders can make the company choose things that benefit shareholders at the cost of customers. Taking investment is a fundamental change in trust architecture.
I no longer believed that 1password is aligned with me, and alignment is a constant force always acting. Removing local vaults was proof of lack of alignment. Removing local vaults was proof that 1Password will choose money over security. Removing local vaults was proof that that appearing worthy of trust is a lower priority than coercing people into their cloud.
No but it means a fake 1P login page can be served and that will result in some non-zero number of people who didn't have a choice on a local sync having their credentials compromised. I am a huge 1P and I think their whitepapers show off their top-tier talent in the crypto space but killing local sync was a very crummy decision.
Conversely: I have zero interest in managing the storage of my own password vaults. It's a trade-off I'm willing to make for convenience and durability.
By way of example: I recently moved overseas, and in the process I wiped my desktop and moved to a laptop-only setup. Unfortunately, I managed to back up an outdated Adobe Lightroom catalog, not my current catalog, so I lost about two years' worth of catalog data -- including Lightroom edit histories. Yes, this is obviously a mistake on my part, but I recognise that I make these mistakes, and I'm willing to trade some loss of privacy and security for a significant decrease in a different risk profile.
Removing a local option is shitty, but there's nothing wrong with providing cloud-based storage.
It's only a matter of time before 1Password has a real security problem because the business forces at 1Password appear to be much stronger than the engineering forces.