EnvKey makes a few tradeoffs in favor of improved usability.
Users' computers and connected servers are assumed to be trusted. EnvKey does not attempt to protect against endpoint compromise, either through physical access, or through viruses, keyloggers, Operating System exploits, privilege escalation, or other attacks. That said, EnvKey does make it easy to cut off that user's or server's access as soon as possible, and also makes it much easier to track which secrets may have been exposed and contain the fallout by rotating them quickly.
In order to allow easy sign in from any computer, EnvKey stores its users' PGP private keys encrypted with the master encryption passphrase in its database. This means that the burden of providing sufficient entropy to protect against brute force attacks is placed on the user's passphrase. Dropbox’s zxcvbn library is used to identify and block weak passphrases.
For both Invitations and RawEnvs (see Data Types & Functionality), when a keypair is generated, the private key is encrypted with a 16 character cryptographically random alphanumeric passphrase, then the encrypted private key is stored in EnvKey's database. These passphrases are never sent to the server. A 16 character random alphanumeric string contains enough entropy to prevent any conceivable brute force attack, so there's no meaningful drop in security here, but it's still worth mentioning. Single line strings are, of course, easier to send to someone, copy-paste, and set as environment variables than large key files.