Well, you of course need to have the private key in order to sign the transaction. I'm not familiar with the blockchain API (I must check it out) but if they don't store the private key, then you must have to store it. If you are signing the transactions on your machine and pushing the signed transactions through the API then there is very little risk, but if you are actually transmitting the private keys to them and letting them do the signing then that poses all sorts of risks such as man-in-the-middle attacks or blockchain directly being hacked.

Other problems with API's are of course if the API goes offline so does your service - in fact there was an outage over at Blockchain just a few days ago. Or if Blockchain were to get hacked an attacker could feed you with fake data which could cause you losses, for example, if you are using the Blockchain API to find out when a deposit happens it could tell you a payment to you occurred when it did not. It's generally a good idea to avoid relying on third parties when it is unnecessary.

Take a look at Armory. It is an entire hot/cold wallet system and should cater to most needs.