Of course the above is simplistic, and you can do things like uppercasing and other character manipulations - but an extended alphabet will always require (quiiiite a bit) more effort for a string of the same length.I'm sure that technically you have foundation for your argument(s). But people live day to day fine with getting home from work and using a house key to get into their house/condo/apartment. It does not stress them that a guy with a couple of battery powered drills can drill out the front door lock in about 30 seconds if he has practiced the procedure. But the owner/renter can get in his own place in the most likely event terrorists are not waiting inside.
I'm sorry, but that is a silly attempt at an analogy.
Getting your credentials leaked is a very real risk - just look at the monster breaches various big sites have had over the last few years. You really should consider your password hashes to have been breached, and better hope you haven't used any sites negligent enough to use weak hashing (or no hashing at all, or reversible encryption instead of hashing).
So you need to pick your passphrases under the assumption that it will be suffering an offline attack.
There's a balance point past which the customer exists to serve the service instead of the other way around. We have already tipped the scales in many areas.
Password hygiene has nothing
to do with "customer serving the service", but you're right that there's a balance - that balance is between how much effort you put into securing credentials for Site X vs. how much it would hurt if that set of credentials are breached.
For most people, getting facebook or their primary email account taken over can lead to a lot
Using a password manager to have unique, strong passwords per-site really isn't much of a hassle. Adding 2-factor authentication is a minor annoyance, but it's worth doing for "primary" accounts like mail, facebook, github and the likes.