He pulled a reverse Hitler

They didn’t specify box-sizing, so it will default to inner.

A random deployment is certainly risky, but no riskier than a random apk. I’d argue the random deployment is less risky because it’s easier to inspect it in the browser and see what it’s doing with your password. But of course both are to avoid. Self-hosting or compiling your own clients if you can, official deployments or releases otherwise.

Sure. Both compiling your own apk or self-hosting are ideal. If you’re not doing either though, the web app is more easily inspectable.

Its less dumb than entering it into a regular app compiled into an apk, which is more opaque (even if it’s also FOSS). Voyager you can host it yourself.

Closed source ones.

Voyager (formerly wefwef) is a self-hostable web app, so it doesn’t have this problem. Of course this only means you can inspect the code you’re running. You still have to able to understand the code to be sure it’s not doing anything malicious.