Yes, but if a company does this, they are essentially killing themselves. They have presumably spent a lot of time creating a company, gain customers etc, whereas a single(?) maybe anonymous open source developer does not have that much to lose.

> if a company does this, they are essentially killing themselves

...or they have to do it because of the NSA and weirdly 99% of users don't care or don't have the means to do anything about it.

Companies aren't trustworthy, they are bigger targets but also targets with thicker armor.

I just go with the offline route, KeepassXC runs well enough for me and is compatible with phones. I need to handle data sync myself but it's not like I change or add new passwords every day.

The single dev has their reputation and professional career to lose whereas companies can and regularly engage in all kinds of legal and or judo to avoid any responsibility towards users.

A single dev is an exploitation sitting duck. They can get hacked, they can be stoled from, they can be targeted by the NSA (or FSA, ...), they can make a small but fatal mistakes, and I doubt they conform to the level of policies that companies like FAANG impose on their security-critical teams.

And all of the above are very good plausible deniability excuses, such that this single developer could, after all, be malicious and still not loose his reputation simply by claiming he got targeted by a 3rd party.

Let that sink in: a single developer and their PC is a gatekeeper of everyone's safety.