Right, but if an attacker has access to the VPS, it can pull off the various shenanigans that's described in the OP? That's the whole thesis of the article. If you have access to the underlying storage of pass (eg. the git instance if you're using git to sync everything), then you can perform some attacks. The attacks aren't catastrophic (ie. attackers being able to decrypt your passwords with no intervention), but they're still pretty bad nonetheless.
If the attacker has userspace access to my VPS or - even worse - my daily driver, then I have much bigger fish to worry about than. The attacker is then a single zero-day away from gaining root access and being able to keylog everything I input on my physical keyboard or send via SSH, at which point the issues mentioned in the article become meaningless.
