It's really simple. It just doesn't consider anything unexpected happening.
Compromised algorithms are unlikely. But not impossible. Quantum computing enabling brute force attacks is unlikely in the immediate future, but not impossible. Certificate pinning compromise during transport is not implausible for state actors.
And in those scenarios and others, having the vault stored remotely on someone else's machines is inherently less secure than not.
Would you mind elaborating on this?