There is 2 differents ways. Both have advantages and downsides.

Everything can be done client side like it's done on dtube and steemit

Not everything, for example you canot do scheduled post on client side.

You also need to know how to do a proper key storage with auth, some app failed on this and we canot expect every app will know how to do it properly.

You need to have your code reviewed (be open source) or be trusted in the community not everyone is dtube and steemit.

Nobody ever gets your key, you don't need to delegate any authority to anyone.

The app may get it, if the server is hacked like was Utopian the hacker could log users keys and force users to update their keys in the end. With SteemConnect we don't store key, the hacker may get an access_token which expire after 7 days or get manually revoked but users keys are not exposed.