Never using online password manager is a good start. Only use encrypted local password manager preferably on encrypted file system and never use same passwords and emails. Best have seperate emails at least for the most important data. Also generating random 50+ alpha-numeric-symbols.
Is that safer than 1Password? According to their documentation, passwords inside 1Password are fully encrypted and only ever decrypted locally on the user's devices. So, it seems identical to the local use case you describe except that it's much more difficult to lose your passwords on 1Password. With passwords only locally on a single machine, if you lose the machine, you lose your passwords. Plus, there's no easy way to share the passwords across multiple machines and especially operating systems.
It seems to me that everyone stating that systems like this are terrible simply propose an alternative that is a hand-built version of the same solution.
Generally it seems that there are two types of people - those that trust encryption and those that trust themselves just a little bit more.
In lots of threads like these the same statements repeat, pretty much similar to this exact thread.
Some people place encryption as the root of trust and so trust that any local encryption is good enough - because if it's encrypted then it's safe to go anywhere...right?
Some prefer to only trust local encryption that doesn't go anywhere, e.g. not synced non-locally to a cloud service. They do trust encryption, but their own stewardship of it they trust a little bit more.
Logically, both must trust encryption of they wouldn't both use it, but one trusts the implementation a little less. That person generally trusts their own systems, setup, skills and self to provide an additional layer of 'feel good' security. They trust the security of their setup and its supply chain over that of a third party. They trust their own 'defence in depth'.
Functionally the two approaches are more similar than either will admit, because unless you can secure the entire 'system' from transistor to human, all the 'prefer local' user is doing is shifting the point of attack and not necessarily understanding their 'defence in depth' might not be as deep as they think.
Most 'prefer local' users will usually point out that the shift of the point of attack makes it harder to achieve. That may have some truth, it may also not. It may actually be that a third party security focused service with many dedicated employees who are paid well and operate round to the clock to monitor activity might have a greater 'defence in depth' and a subsequently greater chance of spotting or preventing a supply chain attack over a single individual spread across many tasks (such as living a normal life and administering their systems in spare time).
The discussion usually then descends into opinion and there it stays, like a plant in the shade, never producing any useful fruit to it's keepers.
