> I don't know what criteria is required to meet an E2EE (End to end encryption?) standard.
Only sender and receiver (the “ends”) can decrypt the data, ie have the keys. In this case both ends are “you”, and the passphrase is the authentication for new devices. For e2ee to hold, neither the passphrase nor the key can be shared with another party, for instance Mozilla.
> 1. If you lose your password and didn't setup a separate password recovery code (one time codes), then you're toast.
That sounds right, and is similar to password managers. Your data is encrypted as a vault with a key derived from the passphrase. The vault is opaque to anyone without the key. Though you still have to trust the software.
OK. It sounds like E2EE encryption in effect because Mozilla encrypts your cloud data with a password hashing algorithm.
[I edited my comment above to get into more nuance about password reset is possible, but wipes data.]
If you lose your Mozilla account password, you can reset it, but
> Any data you have on the server will be erased when you reset your password (unless you use recovery keys). Your other devices will stop synchronizing unless you update them with the new password.[0]
Erasing cloud data is not a biggie, because as soon as you log back in (with the new password) from a device with the old data, it will get reuploaded. FF does the safe thing when synchronising.
Only sender and receiver (the “ends”) can decrypt the data, ie have the keys. In this case both ends are “you”, and the passphrase is the authentication for new devices. For e2ee to hold, neither the passphrase nor the key can be shared with another party, for instance Mozilla.
> 1. If you lose your password and didn't setup a separate password recovery code (one time codes), then you're toast.
That sounds right, and is similar to password managers. Your data is encrypted as a vault with a key derived from the passphrase. The vault is opaque to anyone without the key. Though you still have to trust the software.