At the moment, with whirlwindmoney being the sole operator of the site, then they are in control of all 3 keys in a 3-of-3 multi-sig. This provides additional security against a single server being seized or infiltrated, but it still requires complete trust from the end user that whirlwindmoney won't scam them, as it would in a normal single-sig set up.
Correct
In the future with blinded bearer certificates and the involvement of other third parties, then presumably the best option in that scenario would be to migrate to a different multi-sig. Let's say they recruit nine other people to be signers for the blinded certificates. Maybe something like a 7-of-10 multi-sig would be the best in that case, which provides a good mix of security against some of the signers being dishonest as well as redundancy against some of the signers being taken offline, seized, infiltrated, etc.
Correct again, I believe it could work well enough even with less than 9 other people, but the flow remains the same.
CMIIW.
Nothing to correct. It was clear to us from the beginning that requiring trust from the end user would be the biggest issue, but until we find reputable users to add to the multi-sig there really is no way around it. We will try our best to migrate to the trustless version as soon as possible, it all depends on how fast we'll be able to find the right users for the multi-sig. Until then as you said
funds are safe from external actors but we could scam anytime if we wanted.