"your private key in their web app, that's cloud to cloud"

Not necessarily true.
The fact it's a web app doesn't mean private key leaves your device.
Code is open source for you to see. You don't trust they run that? You can always inspect what happens client-side. 
I'm not saying I did. I say strong claims need strong evidences.