I don't know if Umbrel is fully to blame here as they provide mechanisms of defense such as requiring authentication in umbrel to access certain apps but also providing variables that apps can use for situations like these like ${APP_PASSWORD}, for example.