The threat vector I am concerned about in this question is exposure of public keys to outside parties, not exposing the address or tie to my IP address.
Probably you know the address is the SHA256+RIPMED160 version of the public key, i.e. the public key is not recoverable from the address. The question is whether putting the xpub in the app exposes the public keys to the app builders or the xpub (and public keys) stay locally in the device.
You generally only want to put xpubs in software that either you wrote, or completely reviewed, including dependencies, and re-review with every release. This is because 1 derived privkey leak + xpub = full access.
The threat vector I am concerned about in this question is exposure of public keys to outside parties, not exposing the address or tie to my IP address.
Probably you know the address is the SHA256+RIPMED160 version of the public key, i.e. the public key is not recoverable from the address. The question is whether putting the xpub in the app exposes the public keys to the app builders or the xpub (and public keys) stay locally in the device.