As it was requested at GitHub, there’s a higher risk of attack on the web vault.
When using the web vault, the passwords are decrypted locally and the master password isn’t sent to the servers. This is secure.
I can’t really think of any solution to this problem. But as it was mentioned at GitHub, the web vault could encourage users to use the extension or the app, as the risk of them being hacked and uploaded to the app stores / browser extensions is smaller.
Although warning about the web vault could increase the security a little bit, there are other open attack vectors. One of them would be replacing the applications from https://bitwarden.com/download/ with malicious ones (this wouldn’t require uploading to app stores / browser extensions). I think this more of a general problem with password managers, so I don’t know if this could ever be solved.
Bitwarden is hosted on Azure and it is managed, so I would say that the possibility of such attack is small, but still, no system can ever be 100.00% secure.