And the company doesn't even have to be actively hostile for remote to be risky.

The company could go out of business and shut down their servers. Or shut down the servers because they're no longer selling the product.

Sometimes incompetence is as bad or worse than malice. The company could break an API accidentally. Or the API only works intermittently. Or they could add poorly-implemented rate limiting that unintentionally affects multiple users when they share an IP via NAT.

Or worse, someone else spins up a server in its place.

And a local integration can be hostile if it's not publicly documented and they can update it / make it go away with an over the air update.

What matters is that they provide proper documentation for their APIs, encourage devs to use them, and don't have a history of breaking old clients with new firmware updates (without very good security reasons).

Yes, but some can't be local. For instance an integration that scrapes news from a website.

Sure it can be local - in the sense that all control and scrapping lives on your machine.

But in general, OK - some things are better done via an on-line service. But it's the minority of cases - almost none of IoT devices have a legitimate reason to route control and diagnostics through the cloud.