Your newly generated password doesn't get sent from their server.
Your newly generated password is created and displayed from the javascript in your own browser, created with your own CPU calculations.
The password never got sent or received through the internet.
So while it does look alarming - they do not have your private key.
So now you have been corrected, and yes, you are wrong. :)