I just realized I asked you the same question before.
If the server got hacked, could it send Javascript that steals a users password (which you say "never leaves your computer"), decrypts user data, and sends the password and the data to the attacker?
If the server got hacked, could it send Javascript that steals a users password (which you say "never leaves your computer"), decrypts user data, and sends the password and the data to the attacker?