If everything is done on the client side, what's the server for? There are, indeed, things that are not possible because they violate the laws of nature. But "It's not possible" in any other context usually turns out to be wrong. Sure, if they're not storing the passwords, then the passwords themselves cannot be downloaded from the server. But I'd imagine that a clever hacker would have little difficulty figuring out how to get useful information if he once got admin privileges on the server. The trick would be hacking into the server, which I'm sure is extremely difficult since a good security company is going to have very good security itself. But such a high-value target is certain to be bombarded with attacks constantly.
Sorry. I'm not buying the "It's not possible" line. LastPass may indeed be more secure than just remembering my complex and unique passwords for every critical site. Without a lot more tech skills than I have, I cannot assess that. But I don't believe that anything is 100% impossible. The trick is to find the most secure system that is not unreasonably burdensome.
Your passwords are all stored in a single encrypted blob aka vault, which is encrypted by the client using your master password and sent to the server. The server does not ever store your master password. You login to your account, to download the vault, using your master password but they do this by creating a hash of your username that is encrypted by your master password on the local system and then storing that on their server. So basically when you login your "password" is really just your username encrypted locally using your master password and is just as secure as the vault itself. Your master password is never sent to the server or stored on the server. The password is only ever used on the local device.
Here's the whitepaper if you're interested...
https://enterprise.lastpass.com/wp-content/uploads/LastPass-Technical-Whitepaper-3.pdf
In addition to all the encryption they protect the server side with extra hashing, so your encrypted user name is encrypted again using their own server side encryption. They also cut off brute force attacks by locking and account after a few failed attempts. And they also offer two factor authentication which won't even allow you to try to download without a code and they only accept authenticator apps or special security key devices for 2FA, no SMS, so there is no way to spoof that.
But lets say they cracked the server and downloaded everyone's vault file. Every single one is encrypted using a different master password using AES256 encryption. A brute force decryption of even just one file would require hundreds of years using current technology. And because they're not stored with any identifying information, only that encrypted and hashed user name which would also take hundreds of years to decrypt, it is literally impossible for them to crack your vault without knowing, or guessing, your master password.
So I stand by my statement that it's impossible. Unless you use a stupid master password that's easy to guess.
Another technique I heard about recently that increases security even more is setting up an email with an anyone@ domain. An anyone@ domain will accept email addressed to anything @yourdomain.com and route it to a single inbox. You then use the password generator in LastPass to generate both a unique email AND a unique password. Talk about impossible to crack. If someone happened to hack a site and gain access to your email and password for that site not only would the password be unique but the email would be unique, so they'd have no way to tie any information back to you. If you connected the anyone@ domain to a forward domain they wouldn't even know where the email is actually being sent.
My point is if you want to get crazy with security you can and it's relatively easy with the tools available today.