I'm sure blockchain.info are able to access my "online wallet" for instance, they do own the hardware.
Although they have had some rather bad recent screw ups, the wallet design itself (assuming no flaw), means that the private keys are encrypted "client-side" via .js (so they cannot steal your funds from having access to the server alone).
You should keep this in mind if you are thinking of providing any sort of "wallet service".