You have to trust the frontend though. And where did you get that from?

I use KeepassXC and synchronize the encrypted database across my devices using my own Nextcloud instance. But even if I used a mainstream cloud provider, that wouldn't matter since the db is encrypted and decrypted locally. Regarding trusting the frontend, in my case I just need to check that KeepassXC itself isn't sending data around. Which I admit I didn't do so far, but in my view the alternative of reusing password is much more likely to get you in trouble compared to the likelihood of KeepassXC sending your data to a tird party without anyone noticing.

And even if you audited its code, would you re-audit it if that code changed?

Contrary to what crypto fantastics might have you believe, software eco systems are always built on trust.

Audits are but a means to try champion that trust. And, indeed by no means a silver bullet at that.

> software eco systems are always built on trust.

Yes but, depending on how the ecosystem is built, the amount of trust needed can be smaller or greater. Reality isn't black or white, we also have shades and colors.

Of course. I'd just rather trust many people narrowly rather than trusting a few people with everything. And the people who can push updates to password manager front ends... we're trusting them with everything. It's a situation which calls for a bit of extra diligence.