I think maybe it would be worth clarifying the difference between the current set up and your future plans.

At the moment, with whirlwindmoney being the sole operator of the site, then they are in control of all 3 keys in a 3-of-3 multi-sig. This provides additional security against a single server being seized or infiltrated, but it still requires complete trust from the end user that whirlwindmoney won't scam them, as it would in a normal single-sig set up.

In the future with blinded bearer certificates and the involvement of other third parties, then presumably the best option in that scenario would be to migrate to a different multi-sig. Let's say they recruit nine other people to be signers for the blinded certificates. Maybe something like a 7-of-10 multi-sig would be the best in that case, which provides a good mix of security against some of the signers being dishonest as well as redundancy against some of the signers being taken offline, seized, infiltrated, etc.