Good point. Scammers could put an iframe that resembles steemconnect to catch users passwords ... There is no way around this, other than doing your transactions manually, which is simply the best safety practice you can do when it comes to cryptocoins. That's why I think this project is not such a good idea. However, I do trust busy.org, for instance, even though it could be compromised and my posting key could get stolen.