Not sure what you mean by “local fallback”, but if the user is not signed in, the data is simply stored locally.
storing sensitive private information on storage API is discouraged since it is stored in plain text
I’m fairly certain that the data gets encrypted in the browser, is transmitted and stored encrypted and is only decrypted in the browser again. Not even Mozilla can read it on their servers. You still wouldn’t want to save passwords in it because it rests on the local computer without encryption (maybe unless you set a master password in Firefox).
If it is a password database, none of the browsers storages will do.
I said that because with information that important, you also would not want to loose the data (as in, have no access yourself).
I guess that’s the best and easiest option: make the sync storage optional and be used only if the user choose to do so.
Again, it really depends on what you store, but in general I disagree. For most settings it’s fine to just dump them into