I think I see what you're saying; that the Matasano post argues that a lot of cryptography in web apps is flawed because the code is delivered insecurely (over plain HTTP):
Furthermore, TLS + HTTP = HTTPS does not solve the whole problem because the threat model (implicitly) specifies that the web server cannot be trusted with the user's (unencrypted) data. That indirectly means that the server cannot be trusted with delivering a correct implementation of cryptography, so no amount of secure delivery of the web application is going to solve the problem.
Therefore, perhaps critics of cryptography in web apps argue that the threat model should be much stronger, as in the web server is trusted as little as possible (whatever that means)? This may be why they refer to works on searchable encryption.