I don’t see much of a difference here that Homey Pro works at home (but can be controlled from outside the home > with an application). Then is possibly paired with the Google ecosystem. Or you have Homey Bridge, whose functions are practically 100% in the cloud. It is probably easier to break into a home implementation than a cloud service. Quite a lot of people don’t understand, have the know-how, or want to make the necessary security adjustments to the home network.
Consider the situation where your internet connection is gone. Homey Pro can at least continue running your flows and controlling your (fully-local) heating/security devices.
There is a connection via fibre in that particular property. Alarms from motion detectors etc. would of course not go through if the connection was lost. The heating, on the other hand, would go to a state where the situation before the interruption would be maintained (temperature setting).
Of course, the system must be built in such a way that if the connections are broken, no unwanted changes occur.
If security is such an issue for you, Homey is probably not the best platform anyway, due to its closed nature. We don’t know to what extend Homey itself depends on vulnerable packages, and I would hazard a guess that even if an app uses a vulnerable package, its impact would be minimal.
If you publish a list of apps that use vulnerable packages, a regular user will not be able to gauge the impact of such a vulnerability anyway.