Apps (server side) don't need to handle keys or tokens at all. Everything can be done client side like it's done on dtube and steemit. It works really well this way. Nobody ever gets your key, you don't need to delegate any authority to anyone.
You actually introduce security holes that didn't exist before SteemConnect, so calling it more secure it a total joke.
Only good point for SteemConnect is that it makes it easy for noob developers to start creating something on steem, without having to code a proper key storage and verification system for their apps.
RE: Automated votes abuse on SteemConnect?