username, password, and password notes are encrypted. The website URL is only hex encoded so it might as well have been in plain text. In other words, hackers know which websites you have passwords for (so beware of phishing attacks) but if you have a strong enough master password, they are still probably trying to crack your vault. You can see for yourself what is encrypted by downloading your encrypted vault - this was a good article which helped me figure that out: https://palant.info/2022/12/24/what-data-does-lastpass-encrypt/

At any rate, going forward, 1password seems to be a better choice because of the additional secret key required to unlock the vault.

In the end, there is no substitute for a good, strong master password.

The same vault that is stored server side should be what is available locally. Older vaults may be different, so your mileage may vary.

I know that I examined my local vault and fields that were associated with a credential were encrypted, but names and URLs were not. Some URLs were stored with a token in them. Regardless of that fact, I cycled all of my credentials as I migrated to another provider.

I wasn't basing that on statements from Lastpass. I just presented on this at work and as part of preparing the presentation, we analyzed Lastpass Bitwarden and 1Password vaults as they are synced to their respective services. Palent's blog was certainly one of the sources we used in putting together the analysis.

Some interesting takeaways are that Shared Folders and Federated authentication offered some additional security. 2FA is completely meaningless in this situation as nothing from 2FA is used as part of the encryption key derivation.

As you also mentioned, age of the account made some differences (though not in username encrypted or not). Default iterations being a big one, and AES-CBC vs AES-ECB, which would certainly make usernames more easily determined.