And who's invoice do they serve? It's not the users, it's theirs. They sure as hell can spend or keep that. If the Bitcoin isn't in your channel, it's not your Bitcoin.
They 'hold' the Bitcoin until their users collect it. What do you think hold means?
The only way anyone can have a non-custodial lightning address, is by owning the domain that serves the address. If you're using someone else's domain, they can take control and keep any Bitcoin sent to the address. And there's nothing you can do to stop that. You just have to trust the domain owner.