Syncthing is encrypted transfers.
The database is encrypted.
And you can set it to not use relays for data, only matchmaking between your own devices.
So it’s an encrypted file, encrypted again, and sent directly from an IP you own to an IP you own.
An online database is still a file ultimately. A SQL or other DB file stored in a webserver, accessed through a web interface.
Vaultwarden, etc, are the same, only the database file is less directly visible IMO. Keepass IMO is simple. The DB in a bespoke format, stored outside the application.
You could put the vault in system32 and name it “trustedinstaller.log”, and if someone saw you had keepass they wouldn’t even know where your vault is.
Given the number of well documented breaches of online password vaults, I would much rather do a private device to device sync via syncthing and keep it out of webservers.