The issue is laid out here: https://laurelwoodcabanaclub.com/1Password.html
1Password Version: 7.3.1.BETA-0 (70301000)
Extension Version: Not Provided
OS Version: 10.14.5 (18F132)
Sync Type: Not Provided
We do collect the maxLength attribute if present and I see code in the filling logic specific to the state field that indicates we ought to be checking and adapting so I'm going to say this is a bug given it doesn't seem to be working properly. You are correct that because of how the extension works it does bypass the page blocking the additional characters as it sets the field value directly.
Would I be correct in assuming the example page provided is one set up by you and could it remain available for when the developers can make it to the bug report I'm going to file based on these findings?
Website is under my control. It will be left up indefinitely. This was a crasher for me so I had to add some extra data sanitizer on the backend to catch it (always a good thing). I reduced my code/html so my issue could be easily reproducible. It's a standalone HTML page so could be saved on your end too for possible automated test case down the road. My original idea was to attach it here but attaching a .html didn't initially work.