Rabbit R1 connects to your third-party accounts in a hidden div

It's well known - they said it themselves - that you're authenticating on their server infrastructure, not on device.

Is it secure? Definitely not, you're essentially giving them your passwords. Is it a problem if you're accessing your Spotify account through email/unique password? Not so sure - I guess I can continue to live even if they abuse my playlists.

Beware of signing in using Microsoft/Google/Facebook accounts, though. I'd never do that.