For the bad actor to toggle that “switch”, they would have to control the app.

Are you talking about physical control? Regardless, it’s closed-source… There is nothing that says they can’t also generate the keys on the other end that they had your devices generate. Outside of open source code that’s buildable from source, they can claim whatever they want about lack of access to switches.