I will agree with you end user devices are generally safer. No points for ISPs being useful for anything, because they tend not to be, but firewalls for sure, and of course, the best accidental security protection ever developed: NAT. The other big difference is that end users have a single user's credentials, which is way less exciting than popping a large provider which can compromise millions of users at once.

That being said regarding Vaultwarden, as someone who contributes to a self-hosting platform, I interact with a lot of self-hosters. And self-hosters do a lot of really dumb things that aren't secure, and, of course, tend to add a public DNS endpoint to their password manager. :P

People put a lot of investment into the concept of making passwords super secure. For most passwords, that is silly and probably does more to increase risk. I would argue a password you can remember + 2FA is much safer than a password generated by a password manager, and any platform smart enough to support 2FA is also not going to give you unlimited password attempts.

But the biggest issue I have with people's views on password complexity and password managers is the idea that all passwords should be equally secure. (Or even, that you "must use a unique password on every site".) I sign up for a lot of crud. Usually it's because something made me sign in to read or comment or something, or a one-off purchase where I'm not even storing my payment credentials. If we're talking about risk profile, these aren't passwords that need to be heavily secured. But if you treat them like they must be, you'll end up using a password manager, likely for all of your accounts, including making your more important accounts, like your email and bank, less secure.

Understand the risk of an account getting compromised, and set it's password accordingly. Absolutely use bad worthless passwords on one-off sites that can't impact you much. Heck forget those passwords, and reset them if you ever need to come back to the site. Password resets are cheap for things you rarely go to.

Turn 2FA on everywhere, and ensure your important passwords are high quality and unique. If you have a bad memory, create some sort of portable reminder, or if you have to write your passwords down on a card or something... lie on it in a consistent, easy to remember way.

There's an interesting general argument you're making here and I'm not prepared to immediately reject it, but one detail I will push back on hard is "use low complexity passwords for unimportant accounts".

This is inadvisable. While the accounts direct utility may not be high, and it increases user overhead, a malicious party can accumulate access to tens of a user's "low value" accounts to farm metadata or incidentally relevant data.

Additionally, the end user is not always the best judge of which accounts are even high value. My aunt insists, for example, that her Amazon account does not need a complex password because she "only" buys cookware from it. A silly example, but it illustrates the point.

I'd generally say anything you save payment info in for general physical purchases should probably be secured decently. But consider: Social media accounts used for public posting present no additional metadata. The risk profile to many accounts being stolen is "they can see my already public content, and also pretend to be me on that site". Which is of limited value. I'd really hope nobody trusted a sensitive transaction solely based on my HN posts, for instance. (It's definitely fair though that many people are not a good judge of this particular risk assessment.)

And I'd say for many sites, using a one-time password that you immediately don't bother to save is also probably a reasonable step up from this. If it remembers you on all your computers for a while... just lose the credentials and reset it later.