Maybe they did do this and we are just making bad assumptions? I guess the problem is that any app that does this might eventually make some change, knowingly or otherwise, that leaks your SK. This is not theoretical, it has already with cloud password managers and crypto apps.