Their page says
https://www.omniwallet.org/aboutPrivate keys are never sent to the server except in an encrypted form
So how then they can sign transaction from address, if private key is encrypted ?
Ideally, most of these things work by having you give a password that decrypts the encrypted private key.
Such that, your addresses can be accessed, but all they have are strings of encrypted private keys, which only your password can decrypt. so it's you who signs the message from your end (instead of them).