Yep. Theoretically a vulnerability could be found (or manufactured) for KeePass, but it’s much less likely than an online service, and it’s extremely common and open source, so if there are issues then there’s a fairly good chance it’ll be noticed.