My understanding is the app decrypts the vault locally. I guess they could put out a malicious update but then you’d be impacted whether there was a cloud-free option or not.
Yes, but I think it would be harder to push a malicious update especially since currently 1password doesn't send information on the license when checking for updates. So a malicious update wouldn't be targeted as easily as logging in a web app.
Additionally exfiltrating the data would be harder for a locally stored vault..
My understanding is the app decrypts the vault locally. I guess they could put out a malicious update but then you’d be impacted whether there was a cloud-free option or not.