Sort:  

Does steemconnect have my active key?

No. In theory (auditable) it's all browser side where you sign the transactions. Steemconnect servers won't see it.

That is what I was told when I got here, but I don't code.
So, this flap is over nothing?

Yes and no. I suppose some people just haven't decided to trust steemconnect yet, or are worried about phishing (which just is a matter of either using a password manager or paying attention to the URL I suppose)