Actually, it's impossible for Blockchain to touch your wallet without your passkey, and with their current setup, there is no way to capture their passkey.
Why there's no way to capture the passkey? A malware in the user's computer can always capture what's typed/clicked/etc.
He means that there is no way for anyone sniffing on Blockchain's side of the connection to capture the passkey, but I'm not sure that I agree with that statement.
If you have malware on your computer, a local bitcoin client isn't safe either.
It's possible to sniff it, but improbable that that will ever happen. If Blockchain wanted to do it, they have ways to, but they're easy enough to detect. The validator freaks right the fuck out whenever my computer bugs out on javascript, which is a lot thanks to some disk errors that I haven't taken the time to iron out. Theoretically, they could sniff and brute force the HTTPS encrypted traffic (actually a rather easy attack), but the chances of them capturing anything that leads to a high value wallet is rather low. (This is just my personal analysis.) The chance of XSS is also low, and SQL Injection is useless as far as I can tell. (No I haven't tried it, but I've analyzed the site for my own sake) Anyways, local malware is the biggest threat.
I use blockchain, but most of my bitcoins are stored in a brain wallet - I watch this address on blockchain, and they provide the tools to allow me to access these coins if I need to.
It's the best of all possible worlds.
If someone hacks my account they can at best steal 3 bitcoins. The rest are safe.
Very smart idea
I may start doing that ^_^ Also, keeping wallet backups is important. Just a note. I keep my encrypted backups in 3 places. 
