I think you are 100% right. All cryptographic operations should be performed client side. It is also where all sensitive data like passwords should reside.
If things work like you described and you have to hand over all secrets to this service then it means that they have full access to your unencrypted data.