It's not 100% offline. As you said, if they manage to access your Dropbox, they could theoretically sync an altered database back to you. If the application leaks some information while attempting to open the database or can be made to leak information, that would be bad.