blockchain.com hosts a non-custodial wallet service. they don't "hold" your BTC. that's why they can't recover your wallet for you if you lose your key/password. your seed can be used to recover your coins to any other HD wallet.
In theory, someone could hack their website to change the javascript on the website so that anytime a blockchain.com wallet is accessed, the xprivkey will be transmitted to the hacker, or blockchain.com could make this change and the private keys would be sent back to their servers.
I suspect this type of hack would be very short lived, and their wallet service would be quickly shut down once discovered.