That's a valid solution, but I would not select a password vault that was dependent on network access. Offline access to secrets is important to me. Other people might feel differently, of course.

Absolutely agree with you. No offline access was one of the usability trade off I was referring to, that no one seems ready to make in practice.

The product I'm working on have had for a long time an option to require a second factor for each login which works a bit as at described (encrypted data are stored locally but also encrypted with a key that's stored on our servers and protected by 2fa), but at the vault level, rather than at the credential level (it doesn't protect against device compromise, but prevents brute forcing of local data for exemple. You do lose offline access) and the UX is already annoying enough that in practice this feature is very rarely used and we are regularly considering dropping it.