The one thing I'm still not quite sure on is: how does StrongCoin spend your BTC without your un-encrypted private key? Are browsers actually capable of broadcasting transactions to the bitcoin network without any server involvement?
The transaction is signed with the private keys on the client side, using javascript in the user's web browser. The signed transaction message is then submitted to StrongCoin who will broadcast it to the Bitcoin network for you. It's important to realize that they can't derive the private key from this digitally signed message; they can only validate the signature against the message using the public keys. And a digitally signed message cannot be altered without invalidating the signature in the process, so StrongCoin can't just change the output addresses to their own, or do anything nefarious like that. If they attempted to do something like that, and then submitted it to the Bitcoin network, honest nodes will refuse to propagate it to others and honest miners will reject it because the signature won't be valid any more.
Hope that helps.