Of course any password manager
is just a link in a chain of security.
Not that you'd think that from some of the more hysterical tinfoil-hattery being exhibited here.
If you make the assumption that *any* form or credentials caching - regardless of implementation - is susceptible to being read by 3rd parties, you take appropriate preventive measures.
In my case, even though my card details are stored in LastPass, an attacker with full access to my vault (which would require going through a 2FA challenge, so already they'd need to crack the Google authenticator mechanism) would not be able to use them, since my bank *also* demands 2FA. And all my saved payment details require the CVV number from the card. Which is *not* stored anywhere - not even on the card (use a soldering iron, the digits are embossed).
Anyone who criticises LastPass for "not being secure enough" is clearly stupid enough to think their security needs are capable of being met by a single application. And that person is - at best - "naive", and at worst, a moron. Especially if after lambasting LastPass for "not being secure enough" it turns out they have a safe inside the locked doors of their house.