Quite incorrect, Geko: The review process absolutely does not prevent that from happening even via fully approved and published web services SmartApps.
For example, nothing prevents IFTTT, Amazon Echo, InitialState, or The Ubi (all are “approved web services SmartApps”) from doing anything at all with the devices you authorize. They could purposefully or accidentally unlock all your doors, for example, or flood your lights in a denial-of-service attack type scenario; collect the event data on all authorized devices and sell it to marketers…
Please, please, please move, follow, and continue this discussion on the thread Topic I directed you to: SmartTiles (& "other" External Services) Security