Just to complete what brugeman said here.

When connecting with nip 46 there's a chance someone can pretend its the application you are trying to connect, but for this attack the attacker needs to know your relays and guess when you are connecting to an application 
To mitigate this there's a use secret option, in amber it's off by default because at the time most applications didn't supported this

For native applications using nip 55 I use the package Id of the app so if someone wants to pretend it's an application like amethyst they can't, the only way to do this is making you uninstall amethyst and install the fake app.

I'm also not a security expert so it would be better if we had an audit