Wrong, if the cryptocat server was compromised then the source could be changed to send everything as plaintext or to send the encryption key to a third party.
Free sticker if you can tell the thread an even more plausible vulnerability, where the attacker can't directly change the source code in the .js files, that would be equally fatal to a scheme like this.