I read a bit more about LNURL-Widthraw and it is indeed possible to configure it to have limits.

In the case of dishonest merchants, you'll have to trust them, because by tapping with the card you can't see how much you're approving(they could create an app with a fake amount displayed while sending a larger invoice). That's basically the same as tapping with a credit card though(you could have a chargeback eventually though).

And yes, card stealing will mean you lost your money. Also similar to having a fiat card stolen and having the person tap away your money.