If they’re operating in the US, it doesn’t matter whether the app is intentionally pulling unnecessary information, there are still server logs showing the IP of each request being made for the real-time updates. That IP + timestamp would let the government know (with the help of your ISP, who are all in bed with the government) exactly who you are.

If you are routing all your traffic through a VPN, you can make that much harder to correlate, but unless you validate on the wire or in the code that the app isn’t sending e.g. a device ID or any other kind of unique identifier, it could still end up compromising you. A webpage just intrinsically doesn’t carry the same level of risk as a local app.

That’s why, as the article notes, many of these have been shutting down preemptively; they know they could be putting their users at risk.