I mean the alternative was installing the propietary app so I would say this is still a big win. But also yes, any wifi capable device in your home with no authorization is clearly a disaster waiting to happen.
I don't disagree that it's a huge improvement over some proprietary app but I still don't think "using the light's API as designed" counts as pwning it.
It's the same API that openHAB or Home Assistant would consume to control it.
