I was confused to see my previously set up account appear without any need to enter the secret key, so I did some searching and found the following thread.
This seems to suggest that the secret key is backed up to Google with, in effect, the security of the Google account rather than the secret key. While I understand the benefit to inexperienced users not experiencing data loss and I understand these are the very users that can't be asked to opt-in, this seems like it substantially weakens the security of more advanced users with a different threat model. The latter do not (AFAICT) have any way to opt-out of the backup behavior other than disabling backups altogether, and since the behavior is poorly documented these users aren't in a position to take mitigation steps. If there were, for example, a toggle in the settings, it would at least be discoverable, but AFAICT the only way to discover this behavior is to infer something is going on from the behavior of not having to enter the key.
If true that would be very disappointing. Is it possible to at least make the behavior opt-out? This seems like a pretty serious weakness especially for people that may face targeted attacks. It seems fine for 1Password to optimize for the common use case but if security has been degraded from what's being advertised (and it's still being advertised) then that reduces the value being added over simply using built in Chrome password management or one of the other password management options.
In other cases, for example, Mac/Windows hard drive encryption, it's possible to select different recovery key options depending on the threat model. It seems like something similar should be explored here.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided