My Sonoff Zigbee dongle presents itself on my Linux home server as a USB serial device (/dev/ttyUSB0) which gets forwarded to the zigbee2mqtt container which talks to it. Perhaps under a different host OS it might try to deploy something nefarious, but I'm not particularly concerned.
Those people probably aren't buying USB dongles that depend on a server in the first place; They're using one of the many "hub" devices out there instead (with varying degrees of privacy and network security).