so does this mean blockchain.com can freely access you account and interfere with the funds inside it and use it as they please? since OP said that he didn't made any transaction to send out the
the transaction he received the only possibility now is that blockchain.com has complete control over their users accounts. if that is so, this is quite troubling.
No, they can't.
The private keys are generated in the browser - client side.
They get uploaded to their servers encrypted only. With your login and the correct password, you can access and decrypt them from everywhere (locally in your browser).
But this still doesn't mean that web wallets are pretty secure. There are a lot of attack vectors applicable to (only) web wallets. But a (honest) web wallet service provider is none of them.