You are probably right. Still browser vendors or even extension devs can create a system where username hash and password hash are stored and checked on submit to warn for phishing. Not sure if I would trust such extension, except in case it's FF recommended and verified extension.

I use a separate app like this because I do not fully trust browser security. The browser is such a tempting hacking target (hardened, for sure) that I want to know my vault lives in an offline-only area to reduce chance of leaks.

Is there some middle ground where I can get the browser to automatically confirm I am on a previously trusted domain? My initial thought is that I could use Firefox Workspaces for trusted domains. Limited to the chosen set of urls. Which I already do for some sites, but I guess I could expand it to everything with a login.

You could run two password managers, with a fake one that's a clone of the real one but with fake passwords. Only the fake one is connected to the browser. If the browser suggests a password from the fake pw manager, you go to the real one and copy it in.

Not actually suggesting this as it sounds like quite a big headache, but it is an option.

Honestly, that’s not a terrible idea. There are only a half dozen accounts which actually matter, so there is not even that much initial configuration burden. If I get phished for my HN account, oh well.

Think my only blocker would be if the browser extension fights me if I try to register a site using a broken/missing password.

Does feel like a bit of a browser gap. “You have previously visited this site N times”. If that number is zero, extra caution warranted. Even just a bit of extra sophistication on bookmarks if the root domain has previously been registered. Thinking out loud, I guess I could just lean on the browser Saved Passwords list. I’ve never been comfortable with the security, but I could just always try to get it to save a sentinel username, “YOUHAVEBEENHEREBEFORE”.