That seems to be the case. The fraud can be trivially proven, which would obviously result in the wallet being labelled a scam and the developers being investigated, but there is no on-chain punishment (at least, not at the moment). So from that point of view it works the same as any centralized exchange or service, any mixer, or any non-open source wallet or piece of software - reputation. Not ideal, but I'd still be willing to trust them with small amounts of coins at a time to use their service in due course, once they've proven themselves.