Anyone pushing you to do something you don’t understand, or understand poorly. I could see an actual security researcher pushing for a code update to fix a vulnerability.
Heck, even as an occasional contributor I take some pride in seeing my fixes etc make it into the mainline codestream.
But yeah, you definitely need to be wary of somebody you only know from online pushing a change that doesn’t make sense or you don’t understand.
I’ve been fairly happy with Alfred locks using ZigBee. There’s still a Bluetooth+App component to those as well for adding choices but you don’t need it to use ZigBee for locking/unlocking or viewing status.
Don’t use the wifi bridge though. I briefly tried that and it connects to some address hosted in AliCloud of all frigging places