They're working doing that (it's already the default for local storage and iCloud, right?). I don't think the issue here is code as much as it is "you can't break people's already-deployed password vaults"; for a lot of their users, that kind of breakage is almost as bad as losing data.
Which would make sense, but isn't that an argument for appropriate warnings and a checkbox under sync preferences rather than functionally undocumented defaults hacking? This weakness has been public knowledge since at least 2012(!), so I'm forced to consider why they're so blasé about their customer's data.
I would never have started syncing with Dropbox had I known this. They have access to my site list now.
