> its password store is secured by your password, which Mozilla can snarf if they wish, or are compelled to do

If you're talking about the Firefox Sync password, it's being derived and what Mozilla gets is not your password. Locally Firefox encrypts those passwords using a "Master password" you have to set and which never gets transmitted.

And any password manager can "snarf your password", all it takes is a targeted update, which on present day mobile devices will be automatic. If you can't trust an open-source application managed by a reputable non-profit, then you definitely can't trust your operating system either, in which case it is better to not have a smartphone at all.

I don't trust Firefox with my passwords either, but that's because ensuring the security of that database isn't what Mozilla sells and browsers have been known to be very insecure in handling those passwords. The first thing I do whenever I install a new browser is to disable the "Remember logins for sites" settings.

Derived by JavaScript served by … Mozilla. They can, at any time, serve JavaScript which submits your unhashed passphrase straight to them.

> If you can't trust an open-source application managed by a reputable non-profit, then you definitely can't trust your operating system either, in which case it is better to not have a smartphone at all.

There's a difference between trust once and trust always. An OS is downloaded once; an application is downloaded once; JavaScript is downloaded every time you need it (modulo caching, of course): Mozilla can be compelled to suborn that JavaScript at any time in order to target someone.

Firefox Sync functionality is integrated in the browser and not served on demand.

https://www.mozilla.org/en-US/firefox/accounts/

I think the JavaScript which serves the password-related stuff is somewhere in https://www.mozilla.org/media/js/firefox_accounts-bundle.f52..., but I could be wrong.