I changed this into a Feature Request, and modified one word in the title (“all” → “existing”).
As far as the claims by Palant, his main claim (that only the client-side iterations matter) is largely valid, although he does not offer any details on how an attacker would “check whether [the derived encryption key] can decrypt the data”. His blog article also includes several gratuitous complaints, such as the fantastical speculation that an attacker who has successfully compromised Bitwarden’s production servers and tampered with the codebase (in a way that eludes standard QA checks such as automated scans and manual code reviews) would then use this power only for the purpose of decreasing the number of KDF iterations performed by the downloaded clients.
A much more detailed (and level-headed) analysis of the issue, including a proposed design fix, was published by Dmitry Chestnykh in an article that I posted about here: