The builtin browser password managers have been getting better, but I don’t follow it closely enough to know if they should be trusted with the password to important sites. I do the two tier thing in that I let the browser remember passwords for message boards and such, but not for my bank or email. As far as I’m concerned, the master list is still in my standalone password manager, and the browser stuff is just for convenience.
The idea is that you never reuse your password manager’s password. It is the one piece of information that you must memorize, and it should be unique and complicated. Some sort of phrase or a random string you’ve committed to memory. Adding in real 2-factor authentication is even better. A standalone or phone based OTP, yubikey, or such will make it more secure.
I’m just not concerned about an adversary that can break AES-256, because if one even exists (and I don’t think one does), they are going to be on the order of a major government. They will not have to break my password database to get into my bank, they can just directly issue a warrant to the bank for what they need. I’m much more concerned about a bug in the password manager that renders the AES-256 encryption worthless. That is where reputation and quality come into play. A password manager that is known to quickly and effectively fix bugs is important.