[Carbonhell]

Known password managers such as Bitwarden don't simply communicate the master password from client to server in plain text: https://bitwarden.com/help/security-faqs/, the master password is salted and hashed client-side, then salted and hashed again when stored in Bitwarden servers. Even if you managed to perform a MITM attack, you'd only be able to download your encrypted vault data, which would then require your master password to decrypt (locally). I believe talking about security consideration requires specifying a threat model, but for the average user such a setup would definitely be considered secure enough. A local only setup would definitely be more secure, but then as you said you'd lose QoL feature such as ubiquitous access, or nice UI/UX, no setup hassle, easy usage of hardware tokens and so on. If one were to attack Bitwarden, he would either have to crack the encryption scheme to attack a specific user/business or target it through other means. Ultimately I think it's a small compromise of a small security sacrifice versus a big gain in terms of usability and availability.

[basch]

It's my understanding, at least in the case of dashlane, that the master password never leaves the local device. It's not stored on the server anywhere, its not directly used as part of a log in. It is only used AFTER the encrypted blob has been downloaded to the device, to decrypt it.

https://www.dashlane.com/download/whitepaper-en.pdf