Why not, all they'd have to do is copy the local vault to their cloud service and you'd never notice until you discover that the local file you're syncing somewhere else no longer contains your new passwords.
I'm not saying they've done this, but they could.
