Well the form is embedded on your website, not one controlled by the Matrix server. I assume this open source code sends the request directly to the Matrix server. But it'd be impossible for a user to know where it's being sent when they enter their details on the random website that's embedding this. You could watch network requests but obviously when you notice it going somewhere else it's too late and your account is stolen.