@alxd It needs to be able to retrieve the original form of the passwords somehow. How would it otherwise be able to send it to websites that expect it? That's the modus operandi of all password managers, Google or not, encrypted or not.
@phoe But presumably it has a master password used to decrypt the blob? That shouldn't ever leave your browser session, should it? I.e., it shouldn't be stored persistently and shouldn't be sent to any servers. @alxd@kensanata