When something is implemented, it usually becomes a case of justifying it as “perfect” and “no harm” even when a problem is identified.
Yes, fair enough justification that “Zerodha” will never ask, but you never know who else can ask and how many may get trapped.
With Zerodha becoming the largest broker in India, some safety measures are expected to be put in place. Not all users are that attentive and tech savvy to pay heed to “only enter on a webpage that has kite.zerodha.com in the URL”
The real challenge is that the more number of such third-party “sessions” are enabled through Kite login, the more it will become a tendency of users to assume that everything is a genuine Kite authenticated, even when it may not be. Rest will be taken care by the social engineers, hackers and spammers. Why keep a loophole open?
The recent case of Zerodha sending SMS warning about a fishy site pretending to be Kite is a proof in itself that Zerodha customers are getting targeted and trapped.
No harm in creating a separate additional login id for third party “yoga sessions” for peaceful trading - let it remain really peaceful. 
It’s money - Better Safe, than Sorry!
Possibly another reply will come still claiming “no harm” - So can’t continue arguing on this. Hope the message reaches the right ppl at Zerodha to plug a leak! @nithin