AgileBits can't (easily) steal my password vault on iCloud/Dropbox/WebDAV/local, even if they put a backdoor into a binary which they ship me (I can whitelist what the app talks to). Dropbox can't easily put a backdoor into the 1Password code from AgileBits. No single party can do it alone.

Apple could still single-party screw me, but they're huge, and if they did this in even one documented case they would probably lose $100B in market cap, and Tim Cook has shown he will push back when ordered to do stuff like this.

Not sure if it's wise to use the product of a company you don't trust for something as sensitive as passwords. I think you were better off using some other software to start with.

1) There is nothing better in terms of overall security+UX out there. It would take hundreds of man hours to build a personal solution, and thousands for a distributable solution.

2) Until recently, the direction they were moving in was good, even if their current position wasn't ideal.

3) It isn't so much that I think they could be malicious as that I don't trust them to have enough internal controls against external compulsion or an employee with prod access getting hacked.

There are some passwords I don't put into 1Password (PGP, etc), and I try to avoid having passwords-only as auth credentials for anything important. So it is more I would have hundreds or thousands of low to medium security site passwords at risk, which in aggregate would be a huge inconvenience. That is more because I don't have huge faith in the local OS security on machines than 1P as a particular risk vector.