As far as I can tell, there are no similar measures in place with Mercury protocol.
That seems to be the case. The fraud can be trivially proven, which would obviously result in the wallet being labelled a scam and the developers being investigated, but there is no on-chain punishment (at least, not at the moment).
So from that point of view it works the same as any centralized exchange or service, any mixer, or any non-open source wallet or piece of software - reputation. Not ideal, but I'd still be willing to trust them with small amounts of coins at a time to use their service in due course, once they've proven themselves.
Not quite.
From my understanding, it is trivial to create an arbitrary number of Mercury servers, any of which could be acting evil. So Alice could create 10 Mercury servers, initially all of them honestly, then one steals all of the bitcoin it is holding, so users stop using it, but Bob has no way to know that Alice is running 9 other servers, and there does not appear to be any way to decline to use any particular Mercury server, so even if it was known that a Mercury server was dishonest, there does not appear to be any mechanism for Bob to prevent his wallet from using Alice's known dishonest server.
With CM for example, if they were to scam their customers, this would quickly become well known, and people could simply not use their services. Granted those behind CM could create a new service after they scammed under their CM name, however they would need to build up a reputation before being able to attract a lot of business.
It is no secret that CM is a centralized service, and that there is the risk that CM will scam their customers. CM does not try to hide this. With Mercury Wallet on the other hand, their documentation is misleading in that it is saying that funds in their wallet are not at risk of loss. There is also the concern that dkbit98 is shilling for this wallet while falsely saying he is not.