they ran the test on those pw managers because they were open source. that allowed the testers to implement a “dummy” provider on their own “compromised server.” so the results of failing the tests are based on the hypothetical situation of “what if bitwarden (or whoever) had an entire server taken over by hackers”. while the possibility of that happening are greater than zero, it would take a lot for someone to completely hijack a server like that