I believe the GUI is run locally, but if it was run as a web application from the developers site it would only be able to scrape sites accessible to the public internet.
In this case TextSecure has end-to-end encryption, and supposedly even hides metadata when using the push service (which is hosted on Google Push Framework). Feel free to check the source yourself, or take Moxie's word on it, but I think their "track record" is a bit cleaner overall, regardless of the acquisition of WhisperSystems by Twitter.
I think it could be easy to do this accidentally. From the main linkedin page, if I save my username and password (which is my email) the linkedin page automatically fills in the login/password box when I revisit the site.
It also has a separate username/password box for giving it access to your email address. I have never used this feature. However when I visit the site it fills in the second box with the same username and password.
If I used the same password for linkedin and my email account, saved my linkedin password, then all I would need to do is accidentally click the wrong button to send them my email credentials.
Isn't comcast also a content provider? They provide cable TV services and own a TV network and a film studio.