Your specific suggestion would require the browser plugin to have access to that master password. As Jeff notes, their model treats the browser as a hostile environment and minimizes how many secrets it’s trusted with.

To generalize, any sort of encryption would require the browser plugin to have key information, and (though it’s possible to misconfigure a system in a very specific way a la wireshark), in general, anything that can sniff your loopback connections will have no problem digging stuff out of the browser’s memory space.