Malleability of transactions seems annoying to me and prevents a lot of pure trust-less applications from being rock solid.
Non-canonical signatures are being rejected by the network these days, and the implementation in bitcoinj will reject any signatures that are passed over the protocol which are non canonical. So I am not sure there is a way for the server to maliciously modify the multisig contract - it would become non-canonical and fail to relay. It's not a hard forking rule (yet) so some miner could still pick up a modified form, but as you note, there isn't much incentive to do that.
The poker application did sound interesting. However, I'm not sure it's practical to do this...
Quite apart from how you manage the money, dealer-free cryptographic poker is a highly challenging problem. And even if you succeeded you have no way to prevent cheating. Centralised sites rely on lots of proprietary heuristics to try and keep cheating to a manageable level, even so, they cannot do a great job given the amounts of money at stage. But if you take away the central authority, you also take away the option to use secret rules of thumb and arbitrary eviction of players.
I admit though that I've never understood the appeal of online poker.