Also came across this post that explains the logarithmic calculation of reputation and that is stored on the blockchain: https://steemit.com/steemit/@digitalnotvir/how-reputation-scores-are-calculated-the-details-explained-with-simple-math
I take that to confirm what I said, that any external app could query your reputation if it can confirm your id - presumably via something you sign with one of your keys that would verify your id.
This brings up a further issue that needs clarification. Do sites that operate SMTs require their users to have a steem user id (that could be used to login to steemit, for example) - or not. I imagine that such a username/id would be required, but I haven't seen anything about mechanisms for perhaps autocreating the names for people who are members of your site, but not of steem/steemit.
Additionally, there is the question of whether posts to your site will be visible in Steemit or not - which is something else I haven't seen mentioned anywhere that I have looked yet.