How real is the risk of a registered and legit business selling a banking app taking your banking credentials and stealing your money? I’d estimate it to be 0.
It stores the data locally, so first you have to break into the system, then the encrypted container of the app. If someone does that then you are probably a pretty high value target and have different problems.
An open source, non audited app, that’s not even compiled yourself (iOS app) isn’t much different than that.
My understanding of PSD2 was that it allows third party services to access bank records of customers who authorise them, not allowing customers themselves access to the API. As a result I assumed PSD2 wasn’t helpful for a totally local application. Am I misunderstanding that?