Yes the cask is fine. The problem with 1pass installed via nix is that it doesn’t put it in applications folder because that defeats the hermeticity of the solution. However the 1Password devs designed the binary on Mac to only boot out of applications folder, presumably for security reasons. Most other apps you can get around this by setting up trampoline links to the nix store versions, but if the app straight up refuses to boot anywhere else besides applications folder, you can’t use the typical nix installation path

IIRC there are some macOS APIs that you can only access if your app runs out of /Applications. There are some features of an app called "Secretive" (an SSH agent that stores keys in the Secure Enclave) that only work if you have the app installed under /Applications (whereas I'd normally install it under ~/Applications).

1pass probably does this to ensure that people can't accidentally install the app the "wrong way" and break some features.

Yep. It goes back to “some things nix does are straight up exclusive to the way macOS needs things to be”, as long as that dichotomy exists nix-Darwin will always have hacky idiosyncrasies like this. It’s not an easily solved problem, and it’s not necessarily Nix’s or Apple’s problem to fix. It’s just two antithetical design philosophies. I would love to see Apple support that kind of sandboxing Nix offers here for these apps though