This is true for things that are connected to the network anyway. It is not true for unconnected devices controlled by Bluetooth. The gratuitous app login is straightforwardly malign.
Speaking from personal experience, I am far more comfortable with a web interface than a BT interface. If I were hired to write code for an IoT kitchen thing I'd probably implement a web thing, rather than a BT thing. That would not be malicious on my part, just laziness (if you're being unkind), or pragmatism (if you're being kind).
