From my point of view, the server should not have direct access to the client's private keys...
But if the service offers withdrawals then the server need to have access to it.
Client/Server communication with sensitive data is not safe! (Unless you are using HTTPS.)
But unlike credit cards, in the case of crypto private keys they are decentralized so impossible to block or close from fraud. So all malware has to do is hit any of the sensitive parts of the client computer e.g. a browser exploit and/or OS-level export that lets it read raw network traffic, and you're toast.
In know there is a risk, but there are some services that already do this, for example, blockchain.com/es/#/login?product=wallet lets us import private keys and see get the private key of our address.
Here's the web wallet
https://coinb.in/#wallet scroll to the bottom to find the the GitHub page.
The only difference is it requires an email and a password but once you create a wallet you can dump the private key there.
Thanks for this github repo, i take a look to the code and it doesn't call the DB or the bitcoin-cli. It works in a different way, looks like it generates the address from parameters like the mail and the password, so, once we log in the session keeps the private key as part of the cookie, and to be honest that's an interesting approach.