Yep, I agree. If you want perfect security and a 100% trust-less solution, then uFincs certainly isn't it.
But I like to think that, at least when put in contrast with other products on the market, choosing to do these privacy/security related things is better than not.
Well, the thing is that if you say "privacy-first", you are pitching to people who care about this sort of thing. For these people the fact that uFincs is not self-hosted is an instant no-go. And for people who don't see it as a problem, the privacy angle doesn't matter much either. See the disconnect? You have a good product, for sure, but the pitch needs a revision.
Oh I'm well aware of the disconnect. I just disagree that there are only people who care about privacy to the degree that they have to self-host everything. I believe there's room to ride the line between being 'privacy-first' (in that we care about privacy, first and foremost) and offering convenience (i.e. providing a web app).
I'm sure my customers who signed up with ProtonMail and Fastmail addresses can attest to that fact.
And for those who do fall all the way to the self-hosting side, well, there's plenty of other options on the market! Of course, there's nothing stopping us from being one of those options, it's just not our priority at this very moment.
Thing is anyone even passingly interested in privacy will start questioning it - is it open-source? Can it be self-hosted? Is it available as a desktop app? It's privacy theatre unless the privacy can be proven.
Why not team up with the ProtonMail people to build a browser extension that verifies and logs javascript sigs/hashes? Corporate clients may like it. Gives them an IOC for the next big supply chain issue.
I don't know enough about browsers or js to know if its difficult or not.