For sure, I am not really that worried. I try to be preemptive and cautious precisely because I’m not an expert on security stuff.
But like you said, I prefer HA’s open source non-cloud approach. Since this particular product apparently is controlled locally by HA it makes sense to me to just block it’s cloud access, to prevent future firmware updates from messing this up.
It is an interesting topic though, and the Chinese government makes no secret about their demands for backdoors in the tech companies who do business there. It does make me wonder how wise (or paranoid!) it is to expose a device with a mainland China cloud connection to my local network full of all kinds IoT stuff, all with varying levels of security.