> How hard is it for 1Pass --basically a mandated MITM-- to send a false request to Alice when Bob made a request?

Alice is the one that initiates the request. She owns the vault being shared and encrypts it with Bob's pre-shared public key.