I use 1Password and at the moment, I wouldn't touch anything else. Dashlane is a close second, but it's not mature or well-rounded enough just yet. LastPass is pretty good too, although their bookmarklets are insecure and I personally don't like auth/decryption being handled in the same location as the data (the portal). There's nothing particularly wrong with that method, I just prefer most of the process being handled offline while still leveraging the benefits of cloud sync.
Re #4 (verifiably secure) - You're never going find anything which is absolutely and conclusively "secure", what matters is security in response to risk. This is where 1Password shines. The design and implementation are measured responses by experts to whom the word "security" means more than wrapping text in AES. There are "risks" with 1Password, I actually demo'd them before I purchased it (see blog under "Forgot your password? You're doing it wrong") but when you quiz AgileBits (makers of 1Password) they respond honestly and transparently. Trust is everything in this industry. Try the 30 day trial, ask AgileBits the same questions I asked of SiberSystems... compare the responses.
Re #5 (Trust) - This is difficult. If you're going to use a PW manager, you have to trust someone. I'm a firm believer in Kerckhoff's principle which (paraphrasing) says a system should remain secure when everything about it is known to everyone, other than the key. If a company will not openly discuss the way they protect your data, walk away. It doesn't necessarily mean it's inherently insecure, but it could be an indication that they haven't quite grasped the concept fully. If you spot something, no matter how trivial... ask questions. If something doesn't make sense (for example when "we never get the key" suddenly becomes "we get the key, but we don't keep it"), seek advice or walk away. Most importantly, look for security reviews... not just reviews. What prompted the early release of this blog was a tweet by TechRepublic (see bottom of article) which said "Roboform is enterprise-worthy". Trouble is, it was a comment by a respected journalist... so convincing users otherwise is difficult.
You're pretty much right. It doesn't so much default to true... it simply checks if the param exists and loads the PIN entry screen. If it doesn't exist, it loads the app as normal.