"Applet" is the correct word -- it is a Java applet. The only way to not load anything from their servers every use is to use PGP in a more traditional setup, where your keys are stored locally and never leave your control.

As far as I understand it you can one-time download and verify their java program, and it uses your password to retrieve and decrypt keys in a way that protects you from hushmail. So with that workflow it is very much like traditional PGP with no way to inject a vulnerability later. Am I mistaken?