BC.i knows the complete mapping of bitcoin addresses to accounts (and emails if provided).  With this information they technically have the capability to target specific users and replace their JS code at sign-on with new code that intercepts the private keys.  With the private keys in hand the coins could be diverted out of your control.

If you happen to not log in after such targeting begins and instead use an email backup of your wallet, then the only exposure is brute forcing the wallet encryption— though the encryption strengthening is not very strong, there are apparently GPU crackers that can test on the order of 1M keys per second, and most users are not capable of choosing keys which can withstand a strong attack (even— or especially— if they believe they are capable).