Right. To avoid this risk it's recommended to check the code 2 sentences later. A few regulars doing that and any malicious change can be spotted very quickly.

From that perspective it's more secure than using steemit.com, where your point stands as well, but it's harder to check the code that's delivered by your servers. More comparable with the cli_wallet, with an additional benefit of easier to read code. The most secure way to send coins so to say!