Assuming that you're not a high profile target self-hosting does make it rather unlikely that you'll get pwned in this case.
An attacker can justify allocating a lot of resource to pwn bitwarden.com. If you manage to break into the vaults you're bound to find something juicy, just because of how large the target is.
Or you could decide to pwn me. Figure out where my bitwarden is hosted, what my config looks like, what mistakes I might have made setting it up, then maybe find a way in. Then it's just the start, since the passwords are encrypted on disk, so at best you have access to an encrypted sqlite database. Now you need to find a way to get me to leak my vault key. Maybe I sometimes use the web interface? Maybe not. Who knows.
After all of that you may realize that all of my passwords are either not super important or require some form of 2FA, therefore wasting your time.
An attacker can justify allocating a lot of resource to pwn bitwarden.com. If you manage to break into the vaults you're bound to find something juicy, just because of how large the target is.
Or you could decide to pwn me. Figure out where my bitwarden is hosted, what my config looks like, what mistakes I might have made setting it up, then maybe find a way in. Then it's just the start, since the passwords are encrypted on disk, so at best you have access to an encrypted sqlite database. Now you need to find a way to get me to leak my vault key. Maybe I sometimes use the web interface? Maybe not. Who knows.
After all of that you may realize that all of my passwords are either not super important or require some form of 2FA, therefore wasting your time.
But hey, you can log into my hacker news account!
Security through irrelevancy.