> I realized the level of attack that I would be putting myself under and the insecurity of JavaScript due to extensions, mitm, and client side malware made it ridiculously unpalatable
This doesn't really make sense. These threats apply equally to people just memorizing and typing in their passwords into web forums. If the user's browser is compromised there is literally nothing to be done.
It doesn't compromise ALL of your passwords in one go, it only gets the ones you type. I don't do my bank or my broker except on my low risk machines with 2fa. But logging into a motorcycle web forum shouldn't leak that password. Having them all in the browser local storage with one master password does.
This doesn't really make sense. These threats apply equally to people just memorizing and typing in their passwords into web forums. If the user's browser is compromised there is literally nothing to be done.