Hello. My name is camalaio and I'm a software developer with experience in public and private web services including networking-oriented services.
If you are not someone familiar with the industry, please heed my warning: keep your password safe. Anyone can use it with Tesla's public API to control your car and your garage door (if homelink is setup). A Tesla-run website is not necessary to control your vehicle.
Hang on guys, we've got a badass hacker over here...
You don't need to "hack" an app for Tesla cars, especially for controlling your own car. For one, it exposed the functionality already. Two, it used your account authentication (which you freely exposed to a third party). Three, it's just using the public Tesla API and presenting a UI to use it. If you actually found an issue with the API, Tesla would pay you big bucks for a bug bounty. Try taking them up on it.
A website's UI includes rendering of data from the API. Like you said, it can be a shortcut. All the sensitive things the Tesla website/app can do are just visual abstractions of using that public API.
Many APIs are designed to be publicly accessible, as they often need to be in order to provide a service. If they are public and serve sensitive or personal information, they require authentication (e.g. username and password). This authentication is your only barrier to entry in a well designed system, and no web browser is necessarily required.
Keep your password safe folks.