BitWarden is open source on both ends. So worst case one can self host then fork clients. (Server has already been reimplemented independently.)

This is true, but LastPass proved that by the time the worst case occurs it's already too late. A security breach means, at minimum, redoing all your passwords, and these sites are a very compelling target.

OTOH I wouldn't want to self-host because I know I'm not going to spend the same amount of time and effort a full security staff would, even if my self-hosted box would make a much less attractive target.

It's quite a pickle.

I self-host Vaultwarden. I'm sure someone will be happy to explain to me how foolish my implementation is, but I'm comfortable with it from a security perspective.

I run it as a Docker instance on my home Synology NAS. This turned out to be pretty easy to do. The only part that was a slight hassle was buying a cert, creating an FQDN and making the DNS entries to get an SSL connection to the NAS. Also, I wish updating to a new version of Vaultwarden was a little more straightforward.

When I am at home, my devices with Bitwarden all sync to the Vautwarden instance on the NAS without issue.

My router is a Ubiquiti UDMPro. I have an L2TP VPN configured with a shared-secret and user passwords that are ridiculously long and complex. When I'm out and about and need to sync with the NAS from my laptop or mobile device, I activate the VPN and do the sync.

My Ubiquiti account does have 2FA.

I implemented all this when 1Password informed me that in order to continue using their service, my vault would have to be hosted on their server and I would have to pay them every month for the privilege. That was a nonstarter.

I'm sure my router and NAS are not impenetrable, but I don't feel like I'm low-hanging fruit either. And if someone went to the trouble of breaking in, their reward would be one guy's vault and not the vaults of millions of customers. I'm hoping that makes me a less attractive target. Of course the vault itself has a very long and complex password as well.

This is working out quite well for me so far, knock on wood.

I have a very similar self-hosted Vaultwarden set up, for the same reasons.

My other concern, which may be unfounded is that Vaultwarden [1], which is an unofficial Rust rewrite, may also be developed to different, or lesser security standards than the official client. However I don't have any real reasons to suspect this.

[1] https://github.com/dani-garcia/vaultwarden