Well, there is even more details to it.
Utopian uses steemconnect to manage login, so utopian has no keys, only utopian.app
, ownen by steemconnect has them. And oncy posting atuhority, not the key. So utopian is not at fault here, the user is for not even reading what a transaction does before inputting his active key.
Is what I said: we have to read the rules, and if we do mistakes is our fault, but from what you said looks even more safer to me.