True, but how exactly would they get your master password? You never need to enter it anywhere online, just your offline, one-way hashing algorithm.
Exactly the same as an offline password manager, so no benefit.
Except this file does not need to be secure in any way.
It does. If someone has your salt and the URL of the site, and say that site gets compromised
...or they are the site owner...
so they have the hash of your hash too. Now they can brute force your master password, and then get into every other site you used it with, and your file has a handy list of URLs where it will work.
First of all, in practice I don't back up the settings file anywhere, as almost all sites work fine with the default settings and the ones that don't I either remember or just reset the password for if required.
Having said that, your point is valid but not an actual concern for me. If someone wanted to waste lots of CPU power brute forcing my (long, random, high security) master password, they probably could do so. But just never reusing passwords is generally enough to limit the damage of the inevitable database leaks and hacks, which is the actual, realistic threat we're dealing with here. Never using the same password twice is the most important protective measure you can take, and hashing is, imho, the most frictionless way to do it.
You could also choose to limit any potential damage by having a few master passwords for different classes of websites.