I like to change the metaphor. We're not visiting websites. We are inviting them into our homes.
But when we open the door, our friend brings a group of rowdy drunks with him, they're rummaging through closets (privacy invasion), they drink the beer (draining batteries and using internet data volume) and maybe they damage things (malware) - so I have a bouncer. If you're not invited, you're not getting in.
As for creatives, I'll happily tip them, i have no issues with sponsored content (as long as it is declared) - they probably get more from that then the ad-impressions.
Several points
They generate strong passwords - completely random with no scheme or method to guess. They are long and use many different characters. These won't be easy to memorize, but that's the point of a password manager, isn't it? Much stronger than "google-monkey123", "lemmy-monkey123" etc.
They generate unique passwords - different passwords for every login. When, inevitably, one website had their database breached and it turns out that they stored the passwords too (you never store the passwords, only a "hash", a scrambled version of it), that password of yours can't be used on other websites. Or any scheme be detected "hey that guy just appends 'monkey123' to the name of the site!" That password was truly unique and is not a danger to your other online accounts.
They protect you from phishing - consider this scenario: you get a message with a link, you click on it and the site asks you to log in, so you type in your login and password, but that was a phishing site, it looked like the real website, but really it wasn't. And now the attacker knows your username and password. A password manager that automatically fills your login details will only do so if the domain name is exactly correct, on a phishing site it will not auto-fill, giving you a moment to stop and think.