Another "rule of security" is that taking one step forward is better than nothing at all. So theoretically, a proprietary password manager could have a backdoor which could be used by the vendor or security services. But that's a relatively small group of people compared to "the whole world" which is where most people are with easily-guessed passwords which get reused everywhere.
Also, the idea that an army of trained security professionals is ready and able to scan open-source software for vulnerabilities isn't true - I think there was a study a few years ago which proved these security checks often didn't happen, people just assumed they did. The OpenSSH (secure shell) software was compromised for years and nobody noticed, and it is true open source and a critical part of people's systems as well.
You're looking to mitigate risks. A password manager is a step in the right direction. If you are truly paranoid (good for you) something like this, based on GPG, might be the right answer for you:
Personally I prefer not to use cloud-based password managers because I don't know what their backend security is like. But those more knowledgeable than me might say "they're fine" because of the way the encryption is structured.
Also, the idea that an army of trained security professionals is ready and able to scan open-source software for vulnerabilities isn't true - I think there was a study a few years ago which proved these security checks often didn't happen, people just assumed they did. The OpenSSH (secure shell) software was compromised for years and nobody noticed, and it is true open source and a critical part of people's systems as well.
You're looking to mitigate risks. A password manager is a step in the right direction. If you are truly paranoid (good for you) something like this, based on GPG, might be the right answer for you:
https://www.passwordstore.org/
Personally I prefer not to use cloud-based password managers because I don't know what their backend security is like. But those more knowledgeable than me might say "they're fine" because of the way the encryption is structured.