@Tolkin Basically use common sense, like with everything on the Internet. For example, when you do your Internet shopping, you entrust a lot of valuable information, such as your credit card details, billing address and so on to an unknown (personally to yourself) party. You don’t necessarily know how all that information is going to be stored, who is going to have access to it (customer support, database administrators, someone else), etc.
So what do you normally do to decide whether to buy something there? You probably check if the site is new or established time ago, whether there is a known person or company behind it, etc. If the site looks dodgy, there is no information about who is behind it and whois data is protected, that would make you think twice perhaps.
In this case the same logic is applicable, even though the actual risks are lower (no one in its right mind would risk the reputation by capturing someone’s key to the sites like my-super-sturdy-garden-shovel.site or something similar). But it never hurts to see if there are options which might provide additional assurance of the safety. For example, as it was mentioned before, if it is possible to make your own CSR and use it, that’s a big plus already. Again, similar to how you might use Paypal on a shopping site instead of giving away your card details.
If everything was done on the server, I would say that it is not very safe indeed, and not necessarily because whoever runs the site is up to no good - as recent events with Yahoo and the likes show, everything that is stored can be compromised. So the best option is when it is either manual (or semi-manual as in the case of gethttpsforfree) or runs in your browser only (like with ZeroSSL).