If the user kept the secret key, that's not much of an online wallet - you might as well just use your secret key at home and send it directly yourself. They could encrypt it with a password or a pin that isn't saved on their site so that you would have to enter it to decrypt the secret key. That still counts on the site not just lying and keeping it or you getting it keylogged or otherwise compromised on your side. Many online wallets do nothing of the kind, they simply have the secret key and use it to send. Someone with your password or access to the site could do the same. It's the same as a normal bank really, you have no physical/technical control over what they or someone who snuck into the bank does. You can control your access credentials (passwords, cards, account numbers, ID info, etc) and that's good and well, but there's nothing preventing it from disappearing on their side besides what they (not you) do for security.

It's possible to sign transactions offline, so that the private key never touches a device that's connected to the internet. Check out http://www.bitcointrezor.com/