At this time, apps are hosted as Web sites. Some of them, like Graphite, can operate completely offline. There is a proposal to use subresource integrity hashes to anchor the app’s code and resources to a blockchain transaction issued by the app developer (and verifiable by your client), which would remove the Web server from your trusted computing base. We’re still working on that, though.
You are not required to sign in with the hosted authenticator at browser.blockstack.org. That is there simply for the convenience of onboarding. When I sign into a Blockstack app, I use my locally-running Blockstack Core node and my locally-running Browser.
At the protocol layer, you have the ability to control where your data is hosted. The Gaia hub run by Blockstack PBC is provided as a convenience of helping new users get onboarded. However, you can run your own Gaia hub today and have it store and serve your data instead, and everything will continue to work. However, the process of doing so is still somewhat involved (there’s a write-up on how to do it here). One of our Q4 deliverables is to make this process easier for non-technical users.
The lower layers of the protocol stack that you don’t directly interact with – Atlas and BNS – are already maximally decentralized. Every Blockstack Core node maintains a full, 100% replica of all BNS and Atlas state, so you can use your own node in place of core.blockstack.org without any loss of functionality.
Hope this helps!