Lesspass: Question: Seeking additional clarity on KeePass vs LessPass comparison FAQ

From the FAQ, KeePass vs LessPass:

Store accounts/passwords in a database encrypted with your master password

vs

Compute a unique password for every account based on your master password; your generated password is never saved

The encrypted database is of little use without the master password to decrypt it. If the attacker did have the master password, they still need the encrypted database to get the contained passwords as they're not derived from the master password.

By contrast, even though LessPass does not store passwords, the master password itself is a form of storage. Once it is known, the users passwords are no longer secured. Profiles to accommodate services that need them aren't likely to deviate much from the services minimum requirements, if the user has explicitly deviated from this it does benefit security, profile parameters such as counter less so.

Profiles however are likely to be stored, and thus similar to the comparison of an encrypted database file. One benefit for LessPass is services may be deterministic in password generation, but which ones are used along with any other account metadata isn't as likely to be obvious. If the attacker isn't after a specific or probably service to login with the targets credentials, this can be less risk of being compromise.

Database can be stolen and brute-forced offline, passwords are not individually encrypted so whole database is vulnerable

vs

Would have to brute-force websites to guess master passwords, most sites log and mitigate this (reCAPTCHA, blocking multiple attempts, etc)

Assuming a proper master password was used to secure the encrypted database, the offline attack isn't all that feasible. I believe this has been the case with LastPass when it was compromised, attackers had encrypted data but it was effectively useless without the keys to decrypt.

LessPass is described as requiring to attack the websites... a more practical attack would be against a website having a breach where the database with password hashes was compromised. This allows for an offline attack as well.

LessPass is stronger still, in the sense that not only does the attacker need to perform 100k iterations of PBKDF2 for the master password guess, but the generated password for the website account must also go through that services slow-hash/KDF too. Combined it may raise the computation per guess above that of KeePass.

TL;DR:

• LessPass master password is almost equivalent to KeePass master password + encrypted database. KeePass master password is not useful without access to the encrypted database as well.
• LessPass can have profile data stored, which coupled with a master password enables access to each service the user has an account with. However having the master password does not reveal all services the user has registered with LessPass generated passwords.
• LessPass can also have the master password attacked offline. It only requires access to one database from a service the user has a LessPass password with, which if successful enables the attacker to generate passwords for other services deterministically.

Have I understood this comparison correctly?

For most users and their passwords, a LessPass master password is equivalent to having all passwords it derives, and is more accessible to attackers than cloud-providers or KeePass (or similar apps), in that a single service being breached and leaking password hashes enables attacking to begin?

Not asking for any changes to the wiki, I think it can be safe to assume comparisons from one party can be biased (eg there's no mention about downsides like changing master password).