AnonSteem does in-fact generate your keys server side. We do this for convenience, and also because most users are not technical enough to generate their own keys.

Quite often, the fact that we keep a record of people's keys, has saved quite a few accounts from being lost to the void. It's common for users to mess up when changing their passwords, and they don't keep a record of the old one. Luckily they usually haven't deleted their keys from the server yet, and so I can help them recover their account.

All services have risks. If you aren't reviewing the code for STEEMIT.COM, the site could just as easily be hacked, and steal your account too. That happened just last year, and is the reason the account recovery feature even exists.

These services are all trust based. I have a long 5 year history in the crypto community, and I'm in the top 50 witnesses on STEEM. People see that history when they look up my name, for example I run LiteVault, which is an online wallet with over 40,000 users. If I were malicious, I could have stolen millions of dollars from my users. Instead, people see that I have a high respect for privacy, security, and integrity. If I ever shut down a service which has a wallet, I go out of my way to return every last penny to the users.

Regardless of that, there's still a risk that I could be keeping peoples private keys even after they're deleted. If someone had doubts about my integrity, then they probably shouldn't use AnonSteem. Even if I added client-side key generation, there's still the risk that I could inject malicious javascript to steal those keys once they're generated, so there still has to be a layer of trust.