Troy Hunt and people who work at Cloudflare. But yeah it depends on your threat model. If it's just a random website password than it's probably fine to check. If you're trying to keep secrets from the state then maybe not.
Regardless of your threat model, you can read the code and see how it works. It's short and easy to understand. It doesn't send anything more than the first 5 characters of the SHA1 hash.
Sure but that leaks some information about your password. SHA-1 hashes are significantly quicker to compute than a password hash (and rainbow tables exist making it even faster). So the first five characters can be used to narrow the search space.
This is however not likely a real problem unless your threat model includes targeted attacks.