That's true, and should be viewed as a possible risk. However, there is still more implicit trust in 1Password and similar companies that is often not mentioned:
* They run mostly closed source system. Thus one has no idea what happens on backend, and what data is actually sent
* The encrypted vault already belongs to them. In fact, all encrypted vaults live in the same place, which makes it very attractive for hacker attacks
So effectively, leaking Master Password for 1Password might have just as bad effect as leaking it for DerivePass. Depending on how much you trust both entities.
