I checked the github code, your login stays local to your phone and your local browser calls your lemmy instance.
I didn't check what's running on the wefwef.app site is actually the github code but all 3rd party apps have this risk even if you download it from an App Store.
But I’m relatively comfortable with the app, but do always follow good practices like not repeating passwords and worst case they just steal my lemmy account 🤷
If you’re concerned you could run the github code yourself since it’s open source https://github.com/aeharding/wefwef
Agreed, I think this is a misunderstanding as well of the AGPL but IANAL