Yes, that's correct and documented. Robinhood doesn't offer OAuth for third parties - every unofficial integration (robin_stocks, etc.) uses the same pattern.
We're transparent about this tradeoff. If you're not comfortable with it, don't use it. For those who are, tokens are memory-only and wiped on logout/restart.