Actually, they are pretty much split up. To get access to my passwords and TOTP secrets, the attacker needs one of my devices (something I have) and its password (something I know) or my face/fingerprint (something I am).
The whole point of a fully featured password manager like 1Password or Bitwarden is to rely on it instead of the security of the service you're using. And that implies that you must trust the security of the vault itself.
Of course, each device you have is an additional (an equally dangerous) attack surface. However, most people should be more worried if someone hacks into their devices than their Facebook accounts anyway.
The whole point of a fully featured password manager like 1Password or Bitwarden is to rely on it instead of the security of the service you're using. And that implies that you must trust the security of the vault itself.
Of course, each device you have is an additional (an equally dangerous) attack surface. However, most people should be more worried if someone hacks into their devices than their Facebook accounts anyway.