How can they even access this data in the first place ? I thought it was E2EE and so couldn’t be accessed by the provider… Secure enclave or not, this mean they can decrypt it at least some data and (technically) do what they want with it - since it’s all proprietary.
One more reason to Require Open Source for Password Managers
Edit: There is an “audit” but it mainly relied on 1P docs and some shallow examination of source-code.