Hosted applications may or may not handle the passwords properly after they've been entered into the form. It is inescapable that the host must have the raw keys in order to decrypt the data. It may be impervious to 3rd parties *now* but there's nothing that prevents that from changing, and the user has no way of detecting it.
Similarly for mobile applications -- unless one has firsthand knowledge that the currently installed application will not transmit raw keys to a 3rd party, AND prevents all future updates to that application, then the security is fleeting.
It may be that the promise of security is enough for a given use case, but to be sure one needs to encrypted the data with keys that are never transmitted to a 3rd party prior to uploading the data.
Another way of looking at it: If an entity were to hold a figurative gun to the head of a mobile app developer / hosting provider, in such a way that you as a user were unaware of it (ie were still willing to use the application / provider in the normal course of usage), could the application be changed such that the data is exposed?