Hello,
I use both Homey Pro (at home) and Homey Bridge (at the summer cottage). I am aware that there is a good home security app for Homey Pro (Heimdall).
With Flow functions, the necessary functionality can of course also be made for Homey Bridge.
However, it would be really good if Homey Bridge also had official applications made/supported by Atom for key functions such as…
Fully cloud-based heating and security, what could possibly to wrong 
I don’t see much of a difference here that Homey Pro works at home (but can be controlled from outside the home > with an application). Then is possibly paired with the Google ecosystem. Or you have Homey Bridge, whose functions are practically 100% in the cloud. It is probably easier to break into a home implementation than a cloud service. Quite a lot of people don’t understand, have the know-how, or want to make the necessary security adjustments to the home network.
Consider the situation where your internet connection is gone. Homey Pro can at least continue running your flows and controlling your (fully-local) heating/security devices.
You are right about this. 
There is a connection via fibre in that particular property. Alarms from motion detectors etc. would of course not go through if the connection was lost. The heating, on the other hand, would go to a state where the situation before the interruption would be maintained (temperature setting).
Of course, the system must be built in such a way that if the connections are broken, no unwanted changes occur.
I’d also like this. I use Heimdall but would love something more native.
Also when I first read this I was thinking more of a health center. Like this app uses x npm package that has a viulneranility
If security is such an issue for you, Homey is probably not the best platform anyway, due to its closed nature. We don’t know to what extend Homey itself depends on vulnerable packages, and I would hazard a guess that even if an app uses a vulnerable package, its impact would be minimal.
If you publish a list of apps that use vulnerable packages, a regular user will not be able to gauge the impact of such a vulnerability anyway.
