All the encryption happens client-side. For this to be a problem you not only have to gain access to the blobs stored on their service, but you also have to be able to decrypt them.
I expect they probably pay more attention to abnormal access than most self-hosted users would as well, so you'd actually know about a data leak faster so you could rotate your passwords.
I expect they probably pay more attention to abnormal access than most self-hosted users would as well, so you'd actually know about a data leak faster so you could rotate your passwords.