Since neither of them are open source, I haven't put energy into making sure either of them is secure. Not being a security researcher or having access to either product's code, I'm not sure how I could be expected to perform that level of evaluation, but I've built systems that have passed security reviews and, from a non-privileged access point of view, I see little difference between the two. Enpass does seem to handle security incidents in a pretty responsible fashion. They post blog updates on vulnerabilities (e.g. https://www.enpass.io/blog/an-update-on-the-reported-vulnera...) after releasing fixes. It's great that you recommend 1Password based some other criteria, but I'm not sure why your recommendation should mean anything to me unless you've been given some privileged access to their code that the rest of the world doesn't have and if you have been given that type of access, it's irresponsible of you to denounce other products unless they've denied you similar access.
What I can see is that 1Password is pushing users towards a model that's fundamentally insecure. Their web-based products require a level of trust in 1Password (the company) that none of us should be willing to place in any company. What we've learned from Snowden is that any cloud provider can be secretly made to bend to their governing body's will. Running closed-source software on our own computers involves a level of trust in the authors of that software. That's just a fact of life when software isn't open source. But when code is pushed out into the world, it can, at least, undergo some scrutiny/testing by people outside the company. This is not true of software running on the company's servers. In so much as the security of 1Password requires executing a single, line of code on servers controlled by 1Password, the product is insecure and fundamentally unauditable because that line of code can be changed at any time without users being made aware.
The other point that should probably not get lost is that we're dealing with levels of security. In advocating for password managers, the interface absolutely does matter. Most computer users haven't adopted any password manager yet. When comparing a secure but difficult to use password manager, a potentially insecure password manager with an easy-to-use UI and a combination of insecure passwords, post-it notes and all the other terrible ways that users have of "managing" their passwords, the middle ground is likely to come out ahead for all but the most technically adept users. Need proof? PGP/GPG passes security reviews but has terrible UIs...what percent of emails are PGP/GPG encrypted? We shouldn't let the perfect be the enemy of the good. There can be different classes of security products for those that need protection from state-level actors and those that don't. Because people who are worried about that level of attack are generally willing to undergo a lot more pain to stay secure than your average user is.
What I can see is that 1Password is pushing users towards a model that's fundamentally insecure. Their web-based products require a level of trust in 1Password (the company) that none of us should be willing to place in any company. What we've learned from Snowden is that any cloud provider can be secretly made to bend to their governing body's will. Running closed-source software on our own computers involves a level of trust in the authors of that software. That's just a fact of life when software isn't open source. But when code is pushed out into the world, it can, at least, undergo some scrutiny/testing by people outside the company. This is not true of software running on the company's servers. In so much as the security of 1Password requires executing a single, line of code on servers controlled by 1Password, the product is insecure and fundamentally unauditable because that line of code can be changed at any time without users being made aware.
The other point that should probably not get lost is that we're dealing with levels of security. In advocating for password managers, the interface absolutely does matter. Most computer users haven't adopted any password manager yet. When comparing a secure but difficult to use password manager, a potentially insecure password manager with an easy-to-use UI and a combination of insecure passwords, post-it notes and all the other terrible ways that users have of "managing" their passwords, the middle ground is likely to come out ahead for all but the most technically adept users. Need proof? PGP/GPG passes security reviews but has terrible UIs...what percent of emails are PGP/GPG encrypted? We shouldn't let the perfect be the enemy of the good. There can be different classes of security products for those that need protection from state-level actors and those that don't. Because people who are worried about that level of attack are generally willing to undergo a lot more pain to stay secure than your average user is.