“Nobody can really defend against an attacker running as root on their own system, but our more obvious exposure to to running on a rooted machine in this particular scenario is something that we think is worth the security and privacy benefits of our design.”
The issue here is that the Loopback exposure is to anyone listening on 127.0.0.1 and DOESN’T require the attacker to be running as root. So, whilst this particular architectural decision of AgileBits might not be a major security flaw, it’s not quite as minor as you’re implying.
Personally, I’ll continue to use the plugins but I’m hopeful you’ll find a way to address this shortly and also that you’ll be more honest in your interactions with customers about the severity.
Again, I’m NOT arguing that this is a terrifying breach, and I agree that if your machine is compromised locally then your choice of password manager is the least of your problems. But you need to acknowledge that the Loopback address is accessible from outside the machine and that 1Password *does* have a vulnerability here.