Allowing a Web site to generate a passphrase introduces unnecessary risk that would not exist if a local application (for example, KeePassXC) generated the passphrase. Perhaps my systems differ from yours, but on my systems KeePassXC does not have Internet access.
I can neither vouch for nor malign the Web sites that generate passphrases, but I will not be using them.
that’s a completely different story, it doesn’t mean they’re outright not recommended tools to use, in fact it’s less attack surface to use webapps than to rely on an app AND in fact you can download the Get a Passphrase page and use it completely offline (the css, js and everything gets bundled in and works as it should so that’s cool), invalidating your claim.
This change has been completed with a 6 word recommended minimum:
As such I will lock this thread. As a reminder since there are recent comments here, we always lock all site development threads when they are completed, but if you have a question about passphrase strength you’re more than welcome to start a new topic in Questions, or if you think we should make an additional/different change you can always start a new topic in Site Development 
#completed:
In Progress → Done