How are you in control? Do they not have a copy of your wallet on their servers?
If I'd have to put trust in an online wallet service, I'd go with one that offers multi-sig, so that at least I know they can't spend my coins without my signature.
They only have an encrypted copy of your private keys in their database. As long as you use a strong passphrase, they are not able to decrypt and use your private keys to create transactions to spend or steal your bitcoins.
When you connect to their hybrid wallet with your web browser, you run javascript that obtains your passphrase from you, and keeps it stored locally in your browser. They do not receive the passphrase. The javascript then retrieves the encrypted wallet from blockchain's database and decrypts it locally in your browser. The javascript running in your browser is then responsible for creating transactions to send bitcoins where you request.
The technical details are a bit like using Electrum, storing a backup of your Electrum wallet file encrypted in cloud storage (such as dropbox or google drive), deleting the Electrum program every time you finish using it, and re-downloading/installing it each time you want to use it again. Only all those steps are automated for you, and the program is written in javascript instead of whatever language Electrum is written in.
, two factor auth and so on).
