Since Blockchain.com stores your seed server-side and shows it to you after login, that’s the real danger — once someone is in, they can grab your seed and move funds anytime in the future.
If they're following what they claim: only your encrypted "
wallet.aes.json" file is saved in their server.
Decryption is done client-side in your browser so as the seed contained in the wallet once decrypted.
Here's the reference to it:
https://bitcointalk.org/index.php?topic=40264.0 [
official Blockchain(dot)info topic, unknown to some]
With that, the attacker still needs your password to decrypt the wallet.
However, he can now perform bruteforce attack to it since without 2FA, he can easily download the wallet.aes.json with the email address alone.
And bruteforce may work depending on the weakness of your password.
As for the source code, only the front-end of the wallet is available:
github.com/blockchain/blockchain-wallet-v4-frontend/tree/development/packages