Sure, but is that not what an online password manager is? :P

The data is encrypted with a key that you have not one that the server has which is much much better. If someone breaks in to the server they are not able to very quickly grab all the data. They have to be able to deploy some malware on the server and allow it to run for a while to collect passwords.

I want to believe that LastLass uses client side JS to decrypt based on your login credentials, not a plain text database.

They do. It's not pretty, the whole thing is a mess from a lot of engineering aspects, but the basic security principles are solid.

If the on-line component goes anywhere beyond the ability to sync an opaque binary blob that only your local machines can decrypt and reencrypt, there's a problem there.

How does my secret key get from my phone to my tablet?

The devices could exchange their keys through a secure connection - be it direct (Bluetooth, LAN) or routed by a third-party service. It could also be transferred physically (through removable storage, or through retyping a bunch of numbers shown on one device into another device).