Does End-To-End-Encryption in Web Applications require trust?

In a talk from Moxie Marlinspike he mentioned that Signal does not intend to release a web application because they are impossible to audit. The javascript code is retrieved on each page load, so it would be trivial to send malicious code that gathers the users keys once in a while without the users noticing.

Why is this not an issue for Password Managers that have a web application, like LastPass or bitwarden? It seems like they should have the same issue, but I guess the customers need to trust them to not take their data?