Client-side decoding in a web app is not secure against the host of the web app, because the decryption code can be changed at any time to contain arbitrary backdoors. Lastpass stores the encrypted secret, and they serve the Javascript that decrypts the secret, so they should be assumed to have access to the secret.