Yup, there's no need for FUD. I just look at network activity.

Zappl is open source you can contribute to the Github or leave bug reports on utopian.

That's highly debatable when there have been only small commits since November, 2017. My bug report was created by utopian, twice for some reason, then closed with no explanation and no related commits.

To me, it seems like the Zappl front-end was put on GitHub so it would qualify for utopian's rules. But it hasn't been maintained.

No Zappl don't save keys, your keys are saved in your browser or mobile device not on our servers.

Maybe this is true, but it's beside the point. It's possible that Zappl signs in-browser, but it also sends the keys to the server. Since the keys are sent to the server, it's entirely possible that they're logging keys without knowing it.

Even if Zappl was capturing keys for the public key (Which were not because they're saved in your browser)were only limited to those uses above.

This is where we get into a real problem. Certain parts of Zappl does ask for the active key and does send the active key to the server. My GitHub Issue shows this.