I mean, technically it is not their responsibility to make sure everything surrounding the app is also secure. Someone could also be watching users over their backs, their device could be rootkitted. Where do you draw the line? I think it would be better to put resources into developing an open-source, non-compromised IME but that is out of scope.