Whoever is running the Alexandrite frontend you are accessing definitely could modify it to steal your password, so it’s another point of trust. To help reduce this risk, many instances will run their own Alexandrite (and other third party frontends). With a quick search I didn’t find lemm.ee hosting any though.

I believe OAuth support is planned for Lemmy but not sure on the timeline or the exact implementation.

On the relay emails, I believe some instances block their use, but the benefit of having many instances is you can find one that aligns to your values.