Yes, but I think it would be harder to push a malicious update especially since currently 1password doesn't send information on the license when checking for updates. So a malicious update wouldn't be targeted as easily as logging in a web app.

Additionally exfiltrating the data would be harder for a locally stored vault..