There’s no easy way to escape this.

Let’s say you want to avoid the unencrypted-IPC issue, so you switch to copy-pasting from the 1Password app. Anyone with the capability to sniff your local loopback interface can presumably also sniff your OS clipboard (trivial example: $(while 1; do pbpaste >> clipboard.log; done)).

Wanting to avoid that, you switch to loading up the 1Password app, then reading off and typing in your password manually. Nope. Anyone on your local machine can take screenshots programmatically. You’re still screwed.

Aaaaargh! You come up with some complex method to input keystrokes from a connected device… and are defeated by a local keylogger, installed by the same guy who’s been sniffing your loopback.