They do separate the UI application from the kernel that manages access to the data. I guess the biggest risk would be that you click reveal, which has the kernel expose a password to the UI, and then the UI phones home with its entire raw contents.
Good point. I don’t know what 1Password could do to prevent the telemetry from issuing control commands to the rest of the app outside of trying to prevent malicious code from being checked in and deployed.
