I only have basic knowledge (I understand the concepts of public and private keys and some of the encryption protocols) so I cannot provide a full security audit.
However, as remote opening is not possible, there won’t be a risk that someone will open the door just by getting hold of your Xiaomi account or your phone. However it can be nagging if you ever loose your phone (and if there’s no password set for phone to unlock) as an attacker will be able to revoke all your keys and you then need to get a locksmith or Rambo to blow up your door
Manufacturer claims 128 bit encryption is used for the keys so even if anyone manages to get a hold on your key and makes a 1:1 physical copy of it, the door lock won’t accept it.
The lock uses Zigbee to connect to Xiaomi gateway so any protocol weakness (during Zigbee setup or during communication) will inherently transfer to the lock. And then there’s the communication between gateway and the Xiaomi servers in order to be able to use the app on mobile data connection. The good news is that the Xiaomi gateway can be completely locked on the LAN by the router so it will not be able to access internet, decreasing the security issues generated from the fact most Chinese devices are phone calling. The issue with this would be loosing remote app access in the process, however if HA would add support for the lock there would not be any need for using the app.
At the moment Home Assistant can call the pair function on the Xiaomi gateway without internet, so the gateway doesn’t need internet access in the first place if using HA (if trying to pair any device from the app itself then you need internet access, so I think this is a high mark for HA).
If a key is lost/don’t recall where it was left, then you don’t need to replace the cylinder which is the case for regular door locks, just revoke the key. If subsequently found, a revoked key can be re-authorized.
However the encryption actually raises a problem for families with more than 5 persons as an additional door lock set with cylinder and 5 keys needs to be purchased even if the additional cylinder won’t be used (haven’t found single keys to buy).