As with all third-party applications; sharing your API key theoretically gives the party full access to your account when they do not have their security done properly. Say the third party doesn't protect their database well enough; it might get hacked and the hacker might gain access to all these API keys (and thus all the funds in the accounts). Now, this is mostly theoretical. But you should be aware of what it means to hand over your API key. As for the bunq Desktop project, it does not store your API key in the cloud. So it remains on your local computer. But it remains a risk in some way. In case you want to be 100% sure you can read through the source code (bunq Desktop is open source), but this requires some programming knowledge and hence is not a suitable solution for everyone. This, in my opinion, will always remain the pitfall of third party applications. bunq can't possibly review all of them to give them a 'seal of approval', neither do I think they should. 🙂
PS: you can use the bunq Desktop app also via OAuth, then you do not share your full API key, but the app gains read-only access basically. But this will of course limit the functionality of the app.