It is a client side app. The difference between keychain and what Condenser (Steemit.com) does is that in Condenser the signing code is sent to the client via http, and executed client side. In Keychain the signing code is built into a browser extension. With the code in a http web response, the server could potentially serve malicious code which reads your keys and sends them to the server. It would even be possible to do this selectively. With a browser extension, malicious code would have to be embedded in an update for the extension, and it would likely be quickly detected by the community. Thus having the code which handles keys only in a browser extension is safer than allowing a web app to handle your keys directly, even if it is generally only done client side.