You generally only want to put xpubs in software that either you wrote, or completely reviewed, including dependencies, and re-review with every release. This is because 1 derived privkey leak + xpub = full access.

The threat vector I am concerned about in _this_ question is exposure of public keys to outside parties, not exposing the address or tie to my IP address. 

Probably you know the address is the SHA256+RIPMED160 version of the public key, i.e. the public key is not recoverable from the address. The question is whether putting the xpub in the app exposes the public keys to the app builders or the xpub (and public keys) stay locally in the device. 

spiderman

Each of those allows you to connect to your own electrum server. But if you're not doing that, then some random server knows your addresses up to the gap limit plus what you've used already. If you're not using a VPN then your addresses are tied to your IP address.