Another consideration is: There are credible arguments that rather than run a dedicated password manager, you should use the operating system’s built-in password manager. In that case it goes without saying that if you don’t trust the operating system then you can’t trust the password manager.
It’s worse than that. The operating system is the thing that loads a program. Even if you could download the program’s source on another fully trusted computer, compile it, digitally sign it … and then move it to the target computer, once you run the program, you have no idea what you are running, whether it is genuine, whether it has been verified as genuine, …
And of course most programs rely on the operating system for a range of services, any or all of which could be compromised in some way if the operating systems intends to interfere with your program.
You either trust the operating system or you verify the operating system.
There’s Intel’s SGX - but to me that is a two-edged sword. The enclave may be more private from spying from the outside but that very privacy makes it harder to audit what is really going on. So you would at least have to trust the supplier of the code running in the enclave more than you trust the supplier of the code running in the operating system.
I get the distinct impression that SGX was an anti-privacy feature.