Really when it boils down to it everything has a certain amount of risk. Like the main STEEM wallet being a web interface for instance. Browsers always touch the Internet and are inherently more insecure than a hardware wallet for instance. SteemConnect is pretty safe and pretty proven as a lot of us have used it to connect to DTube, DLive, Busy.org.

That being said I always use my Private Posting key when I SteemConnect so that if something was compromised somehow all a person would be able to do with my account would be to post and vote but they wouldn't have wallet access or the ability to change my password.