I think you should read the 1Password security whitepaper before rambling on about things you clearly haven't spent the time and effort to learn about.
However, in their white paper they specifically have a section "Crypto over HTTPS" which outlines the risks of their new web UI. Yes, the password stays local if no one mucks with delivered js, however, 1password being compromised would allow serving of modified js.
This is a new vector only present due to their new web vault model + associated web UI features. They state it themselves in the whitepaper:
"The authenticity and integrity of the web client depends on the security of the host from which it is delivered. An attacker capable of
changing the web client on the server could deliver a malicious client
to the user"
1P could be 'compromised' and send a malicious version of their software back before they had the subscription model... I don't see how this is involves any more risk.
However, in their white paper they specifically have a section "Crypto over HTTPS" which outlines the risks of their new web UI. Yes, the password stays local if no one mucks with delivered js, however, 1password being compromised would allow serving of modified js.
This is a new vector only present due to their new web vault model + associated web UI features. They state it themselves in the whitepaper: "The authenticity and integrity of the web client depends on the security of the host from which it is delivered. An attacker capable of changing the web client on the server could deliver a malicious client to the user"