Your node pubkey only needs to be associated once with your clearnet IP for that protection to go away so it's definitely not bulletproof.
Discussion
I think of Zaps like a small transactional account. It doesn’t need to be tied to any private financial infrastructure.
It’s just a petty cash account that sometimes goes up and sometimes goes down. May need a top up or withdrawal from time to time.
Maybe if we see more serious transfers with significant amounts, we may need better self-managed approaches to minimise risk/trust.
That's entirely fair that you choose to take it that way and I can see you understand the tradeoffs.
Overall I just want the tradeoffs to be clear to newcomers so that they don't think LN has magical perfect privacy and anonymity or that custodial LN is actually bitcoin.