Is there an answer on this? I have the same question. I already typed a post with this question and just stumbled on this thread before posting.
I also worry about how this setup circumvents any firewall rules. How am I sure that no one will be able to get into my gateway? Is this some kind of quick connect?
There is no data exchanged between the gateway and the internet when using the online app. It acts only as a GUI for visualisation purposes (The javascript code runs localy in the browser on your PC). And it is the same functionality as when you run the app localy with the ip of your host system. The only data transmitted is a request to the discovery server to determine the ip address of the gateway in your local network. This communication can be disabled with a Rest API request to the gateway (PUT /api/<apikey>/config parameter: “discovery:false” see: Configuration - deCONZ REST-API)
The feature to disable this will be added to the Phoscon app in one of the next releases.