Of course, good question.
The worst thing that can happen is that somebody gains access to all the stored access token that are generated by Steemconnect. In that case the attacker would be able to vote for all the authorised accounts.
When that happens all tokens can be revoked via: https://v2.steemconnect.com/dashboard both the users themselves and I can do that.
The database has been properly secured, and I am building something that will alert me via a text when there is suspicious behaviour.