For me, it's that 1Password runs locally and doesn't need to phone home, whereas LastPass is "cloud". Also, LastPass being owned by LogMeIn doesn't sit right with me, but that's definitely personal.
No idea about Keepass(x), although I found that ecosystem to be confusing, with different apps for different platforms you might accidentally download a rouge one on e.g. your phone. I know, paranoia.
There have been some articles about automatic KeePass updates being vulnerable. This section clarifies the situation and its resolution.
First of all, we would like to note that KeePass cannot update itself. KeePass does support checking for updates (optional; by downloading a version information file, comparing the available with the installed version number, and displaying a notification if necessary). However, it neither downloads nor installs any new version automatically. Users have to do this manually.
KeePass can be downloaded from many servers (SourceForge with its many mirror servers, FossHub, etc.). In order to make sure that the downloaded file is official, users should check whether the file is digitally signed (Authenticode; all KeePass binaries are signed, including the installer, KeePass.exe and all other EXE and DLL files). The digital signature can be checked using Windows Explorer by right-clicking the file -> 'Properties' -> tab 'Digital Signatures' (the expected signer name is 'Open Source Developer, Dominik Reichl'). When running the installer, the UAC dialog displays the digital signature information, i.e. users who carefully read the UAC dialog do not have to inspect the file properties separately. This is recommended for all users, independent of where you download KeePass from.
The KeePass website links to SourceForge for downloading KeePass. However, even if SourceForge (or the KeePass website) is compromised and serves a malicious download, users who check the digital signature will notice the attack and will not run the malware. Note that HTTPS cannot prevent an attack via a compromise of the download server; checking the digital signature does.
The version information file is downloaded from the KeePass website over HTTP. Thus a man in the middle (someone who can intercept your connection to the KeePass website) could have returned an incorrect version information file, possibly making KeePass display a notification that a new KeePass version is available. However, the next steps (downloading and installing the new version) must be carried out by the user manually, and here users who check the digital signature will notice the attack.
Resolution. In order to prevent a man in the middle from making KeePass display incorrect version information (even though this does not imply a successful attack, see above), the version information file is now digitally signed (using RSA-4096 and SHA-512). KeePass 2.34 and higher only accept such a digitally signed version information file. Furthermore, the version information file is now downloaded over HTTPS.
My mother is able to run keepass and she still has a problem with double clicking.
But sure. Looking for yourself is not easy. You have to do something for yourself and not just throw money on some company that is depending on this one product.
Not sure if your paranoia is directed the right way here though.
LastPass is only "cloud" in the sense that it takes the AES encrypted files your browser encrypts locally, then allows you to access them from multiple locations if you have the right pw (and 2 factor auth if you use it).
No idea about Keepass(x), although I found that ecosystem to be confusing, with different apps for different platforms you might accidentally download a rouge one on e.g. your phone. I know, paranoia.