If you're holding your Shift in their online wallet they are as good as gone. The devs have control over all the private keys
That's a quite tendentious statement. Though, private keys communicated in plain text is a very serious design flaw. Especially in crypto we may expect security by design and a code quality review process.
As I understand, the problem was not recognized immediately as 'critical' by the development teams of RISE/Shift/LISK? Only after some community pressure? Then it sais much about their security awareness and development skills...