The comment was referring to Keepassium and Strongbox, which do not store credentials on their servers so it's not exactly the same. While conceivably a compromised Keepass wrapper could decrypt and send the dump of each and every file it opens, I doubt it would pass unnoticed.