The point is you are trusting the JavaScript that the server delivered to you. If the server is compromised, it hands you compromised JavaScript and you’re screwed. It’s the exact same thing as going to evil.com and entering your master password. I think that you inherently understand that evil.com is untrusted. However, if passwordmanager.com is compromised by the same people who own evil.com. there’s really no difference.
The point is you are trusting the JavaScript that the server delivered to you. If the server is compromised, it hands you compromised JavaScript and you’re screwed. It’s the exact same thing as going to evil.com and entering your master password. I think that you inherently understand that evil.com is untrusted. However, if passwordmanager.com is compromised by the same people who own evil.com. there’s really no difference.