I’ve used Bitwarden for ~3 years at this point, but when my friend asked me this question, I didn’t really have a good answer. Yes, It’s open source, which is all well and good, but how can I be sure the code published on github is the same as whats running on my PC when I use the desktop/mobile app or web client? What’s keeping the team behind Bitwarden from looking at my passwords?
There is a great FAQ to answer this question!
You don’t have to 100% trust them, you can always do that pepper thing or keep your 2FA in a different app.
A password manager is about making your life easier and more secure. Trust comes from time but peppering and 2FA can help too.
You might want to take a look at this: