Your apps are great but there is a fundamental bug in them. They can only work because of users TRUST you with their money. I don't tell it's your fault, you made them this way because there was no other way to implement application logic.
The better approach would be a real, auditable and decentralized L1 smart contract system built in the HIVE core. You publish your game logic as an SC, you point your frontend there and people (or an independent auditor) could check the code and decide if it's malicious or not.
I'm not telling that you have bad intentions, just that we could never know for sure and neither you can be sure that your VPS is invulnerable.
I get that. It's a fundamental limitation of Hive itself and as you point out, there's no L1 system in place for this kind of thing. You build on Hive, but you can't build within it. That's where chains like Ethereum have an edge, although there's no shortage of poorly written smart contracts that have led to millions in ETH being stolen or hacked.
Worth noting though, the apps I build are essentially read-only applications that work on the basis of custom JSON and transfer operations, streaming blocks and looking for specific operation types. So if someone were to somehow get into the site, they'd find a front-end and a Node.js backend with Postgres or MongoDB storing site-specific data. There's no keys, no wallets, no funds to extract (those all live on Hive). The hosting is cloud-based too, so there's no server anyone can SSH into from the outside. Nothing is perfect, but considerations are made at a design level.