If you're using 1password Teams or higher, you should look deeply at default permissions 1password has on your vaults.
Unless you set things up non-default, every user/group added to a vault is able to print your entire vault, with compete details, or export that vault with all details.
This floored me when it was brought to my attention. You have to manually disable export/print on every vault. There's no global option to disable this, and if you're a 1password newbie, you might not even know this option even exists. Data exfiltration is opportunity is a super crazy risk. While anyone can copy paste all the data out manually, these options make it child's play to export all your passwords, OTP tokens, everything! I was sent a PDF of ~250 complete items across 4 vaults. The person didn't "manage" the vaults. WTF 1password?!
So. I had the option to manually go through and disable those options, or, I chose to use the CLI to fix this. This isn't optimal, as I can't automate it, it requires my authentication to run, this is, at best, a bandaid. In my opinion 1password needs to fix this. I've send support messages, and haven't heard back.
If your experience is different, please let me know. Perhaps I'm using the platform incorrectly.
I wrote this in fish shell, because it was simple, and I had to interact with the command line. It shouldn't be hard to port to bash or zsh or whatever you like. I just like fish.