Last I checked, they still didn't have a useful Content-Security-Policy header on their Web Vault (which would prevent XSS), and also didn't have a way to separate "being logged into the extension" from "being logged into the Web Vault".

I... would definitely not recommend them, no.