Agreed, I think this is a misunderstanding as well of the AGPL but IANAL
I checked the github code, your login stays local to your phone and your local browser calls your lemmy instance.
I didn't check what's running on the wefwef.app site is actually the github code but all 3rd party apps have this risk even if you download it from an App Store.
But I’m relatively comfortable with the app, but do always follow good practices like not repeating passwords and worst case they just steal my lemmy account 🤷
If you’re concerned you could run the github code yourself since it’s open source https://github.com/aeharding/wefwef
I'm going to suggest checking out https://wefwef.app/ which is also a PWA but is very similar to Apollo.
It's solved a lot of problems lemmy's own PWA has and is done really well