RE: SteemConnect v. OpenSeed?
So the short answer is yes. Whatever is required to utilize steem to the fullest will be possible through the API. Signing, posting, adding and removing rights to apps to post on your behalf, and I'm confident that what is currently employed is good enough for most posting operations.
Things that require the Active key (transfers, buys, etc.) however will be handled with greater care and is still in development. When I feel that its good enough for others to use I'll write a post about it so everyone can check my work.
Password security is an issue, but as the backend / server developer my goal is to make it so that no one can get the password from the API or the server through nefarious activities. Beyond that there is little we can do if the enduser puts their password on a post-it note or some other silly practice that I've seen working in Infosec.
As far as your react Material-UI stuff. Is the code available somewhere? Or is there a good tutorial you would recommend?
That's great! Having an API is much more convenient than being forced to send users to an external site. The good thing about a solution like Steemconnect is though that if a site was attacked using XSS the attacker couldn't sniff any passwords since those are entered only on the Steemconnect site, that's what I meant about password security.
The components are available in the TravelFeed repo under MIT license on https://github.com/travelfeed-io/travelfeed-io/tree/master/components/Onboarding To see them in action you can go through the sign-up process on https://travelfeed.io/join
Material UI also has an excellent documentation available on https://material-ui.com/getting-started/installation/