I’m not sure how do Hue lights work, but if they have any Wi-Fi component they’re essentially a device in your network. If compromised (by a hacker or by Philips themselves) they’re no different than a device next to yours on public Wi-Fi. Someone will definitely have a desktop PC with vPro with default credentials, or once in a while someone will log into something using HTTP without the S and leak plaintext credentials.