The argument I've seen provided for this is that an attacker would both need your password and physical access to a device with 1password already set up on it.
To use 1password on a new device, you need a "secret key" that is provided to you when you create your account which serves as a basic form of 2FA for your whole account. Not a perfect system, but it is not as simple as just getting your password and having access to everything.
1password is a cloud service. So they'd either need a device like you said or your login/password + authentication key that is only used in the initial setup flow of a new device. So still pretty hard like you said. Never considered how the extra key during new device setup could be helpful until now.
You can also set up 1PW to use a OTP itself. I use 1PW for OTP generation and for passwords (naturally), but my 1Password account itself is protected by my password + secret key, as well as an authenticator/OTP app that is not 1PW.
The "secret key" is of sufficient length to not to be able to qualify as "something you know". It's either a quite lengthy string you have to type in, or a QR code.
To use 1password on a new device, you need a "secret key" that is provided to you when you create your account which serves as a basic form of 2FA for your whole account. Not a perfect system, but it is not as simple as just getting your password and having access to everything.