let me quickly guide go through your points, maybe I'm able to put your mind at ease here:
I had to enter the password online which seems to me that it IS therefore leaving my device and submitted somewhere (contrary to what the Technical Overview says)
The password is hashed with an individual salt and the result of that is sent to our server. A hash has the property that you cannot calculate the password back from it. That means that you password is actually not leaving your device. The key calculated from your password is hashed with a different salt. That means that from the hash we receive from you, we cannot calculate the password hash either. This actually is written in detail in our technical description. While this might seem counter intuitive, that's how hashes actually work.
Imagine it like your favorite Indian dish in a restaurant (I'm choosing Indian food here because it has quite many different spices): You can taste if they used the same recipe - it tastes as you're used to. So you can verify they used the right ingredients. But that doesn't mean that just from that taste, you know all the ingredients that went into the dish. What you are sending to our server is the dish. What you need to decrypt your files is a different dish, made from some of the same ingredients. We cannot extract the ingredients from the dish, and we cannot use the dish you sent us to cook the other dish either. We can only verify that you knew what was required for it.
I also feel concerned that since Boxcryptor generates and holds my public/private key, then anyone could download them if they have the password (or somehow hack BC).
There is no substitute for a good password. Boxcryptor can help you to keep your files safe, but it cannot remove all responsibility from you to choose a good password. And if Boxcryptor got hacked, then the attacker would still need to have the password, since your keys are encrypted with your password we do not have access to it at any point. Password-less systems have a higher demand on the end user (e.g. they now have a local key that they have to take care of and bring with them to other devices). This would result in dramatically fewer users choosing to encrypt their files, because the additional work to do so would be too high for them. At the end, you have more users storing files unencrypted, and Boxcryptor seizing to exist because too few people would be using it: A lose-lose situation.
Unfortunately, we cannot do more to prove the security of our product than to make publicly available how Boxcryptor works - and we're doing that in our technical overview. We try to make this overview as understandable as possible to everybody, but cryptography is a complex subject. There are many things possible that seem counter intuitive, as you already noticed. To verify yourself that the procedure is secure and zero knowledge, you do need to have some basic understanding of cryptography... I'm afraid there is no way around that.
So how do you know if Boxcryptor is secure? Well, if you cannot verify it yourself, there are lots and lots of crypto experts out there, and they all can read our technical overview. If our protocol had any obvious flaws in it (and the points you make would be very obvious flaws), then you could be sure that the first thing you notice when typing "Boxcryptor" into Google would be blogs and reports ripping it apart. This is not the case: A clear indicator that crypto experts don't have concerns about Boxcryptor.
Hope that helps,