They get a token via the Tesla API which you can revoke whenever if you are concerned about a security issue. None have direct access to your Tesla account
While this is true the token they store is perpetually refreshed (they last for 8 hours) in order to provide ongoing access to your vehicle or Powerwall. Which is obviously required by the App in order to keep on doing its stuff.
Now you could argue why would any App developer want to collect all these refresh tokens to have ongoing access to your vehicle outside of the App they developed? The risk might be low but it is there. I’m sure every App developer would deny they sniff and collect them, but they would say that, wouldn’t they. And let’s face it, some people do weird and improper stuff just because they can.
It could, for example, allow the App developer to locate your car, unlock it, and start it - allowing a third person to drive it away.
Tesla recently improved their security so that a refresh token can be used only once to generate a new refresh token. That used to not be the case which was a fairly significant security hole. But the App could simply pass on refreshed tokens to the App developer every time so that they have a current token.
As Hairyman notes, the token doesn’t provide any access to your Tesla account so it is secure from that perspective, and all tokens out in the wild are immediately revoked once you change the password to your Tesla account. So there is a way to kill them all off if you ever had a concern.
Caveat emptor.