I want to point out one quote in Toth's post:
I understand this point quite well from my current work. So, 1Password shouldn't try to dismiss the issue with such a comment.
I'm not really sure what is new in Toth's post. It really is just related to a presentation he made at a conference. It's a bit of a survey of issues. Some of what is discussed is rehashing old issues that are resolved. Much of the post shows various (and obvious) techniques of hiding extension web elements.
The eye-opener for me was the various clever ways of getting a user to click on the hidden elements. For example, by making the hidden web element follow the mouse pointer so that wherever the user clicks the extension gets the click. So, I've come to understand that if I'm on an unknown website, any click can have consequences.
He does present some more interesting stuff regarding cracking Passkeys when the server fails to implement "session-bound challenges". This issue will go away by itself as server developers learn how to correctly implement passkeys. Developers make mistakes all the time. In fact, recently I had to tell my client to fix something they did regarding replay issues with oauth.
At this point, I'm comfortable with my use of the browser extension with the UI elements turned off. I might even leave the passkey-related UI elements turned on (a separate switch in 1Password). I have to study this one more.
At the end of his article he says various vendors have addressed the vulnerabilities. In each case, he only seems to be saying they've managed to prevent their web elements from becoming invisible. 1Password does seem to be working on this and has something to say here:
According to this report, I wondered what the position of 1Password is on this issue and when it will be...
www.1password.community
and here
Learn how to set up and use 1Password, troubleshoot problems, and contact support.
support.1password.com