Very nice article! Now I understand better what an app needs to be considered a dApp!
Indeed, transparency and auditability is very hard to implement and even harder to verify. I remember the old days, when security was assured solely by what UI would tell us, and personal finance apps would have backdoors to change password without requiring current one to be provided. Just hook a dll and u hack the app.
I'm happy to see how Software Engineering has been evolving security, to a point we don't need to trust our apps UI and not even its controller and persistence.
This new generation of apps is just starting, I hope that in some years we have the early ones redesigned to comply. They are still better than top systems like Facebook which isn't even crawled by Google.