I don't know how similar online password managers work, but I use PassPack. They store your whole encrypted password file in one field in their database, and the encryption/decryption is done only on the client side. The key is never transmitted over the internet.
This doesn't do anything to defend against client-side malware, but at least if their database is stolen the bad guys will be unable to decrypt your passwords (as long as your passphrase is strong enough.)
There is a weakness - they keep historical versions of your password file. Presumably because some customers forget their new passphrase but remember their old one and so they can recover their file, less any edits since they changed their passphrase. But if you changed your passphrase because your old one was compromised, the bad guys can now decrypt the old version and have a chance to get some still-current passwords from it.
This doesn't do anything to defend against client-side malware, but at least if their database is stolen the bad guys will be unable to decrypt your passwords (as long as your passphrase is strong enough.)
There is a weakness - they keep historical versions of your password file. Presumably because some customers forget their new passphrase but remember their old one and so they can recover their file, less any edits since they changed their passphrase. But if you changed your passphrase because your old one was compromised, the bad guys can now decrypt the old version and have a chance to get some still-current passwords from it.