It is unfortunate that the Tesla API will only give access to all or none to the functionality. It would be much better if you could restrict access an app has so it can only access certain parts of the data (e.g. not real time location) and not access remote controls (e.g. lock/unlock, summon, climate controls, etc). The exact restrictions should be configurable (by the owner) for each app.
Tesla might be better then other car manufacturers in terms of security, but they are by no means keeping up with latest security standards.
Also another thing to consider: You might trust the app developer. However if his app is installed and connected to many cars, is a somewhat tempting target. Do you trust the developer's computer which he builds (and digital signs) the software on? Do you know what security practises the developer uses on their computer? Do they use the same computer to open untrusted emails, play untrusted games on, visit porn websites, etc?
While the above is somewhat outside Tesla's scope on what they can do/control (hopefully Tesla have secure practises for developing their apps), if there were restrictions on what the app could do, the damage would be limited. e.g. it wouldn't be possible for a Trojan-app to send a command "unlock doors" to every car it is linked to, because this command would be restricted.