He considers the fact that web app hosters have root access to your data a point against web applications, as a hosting insider could do any number of undesirable things with the data.
It could be argued that the same applies to internal IT staff. Your IT guy could be selling company email addresses to spammers on the side, for example. I agree, though, that when a hosting company does it, they are probably better organized and can do more damage.
Michael also points out the dearth of APIs for web applications, which I agree is regrettable. On the other hand, there’s no technical reason that a web application can’t have a decent API for manipulating its data. We’ve come to expect API’s for local applications, why not for web-based ones?