Unfortunately I could not find the dynawrite developer mail to ask him directly. Therefore, I will ask here. Hope for both your answer and the developer’s answer.
I know that the information is not provided to third parties. But could you tell me if specifically developer know the account passwords and their contents? And could you please give a link to a source that confirms this. I am worried about this, because dynawrite developer are not the supplier of the original application.
God I want a dynawrite 
Technically, yes, they could inject malicious code that uploads your API key when you paste it in, and then they can read/write everything you have on Dynalist. Same with Quick Dynalist, Dynalist Bookmarker, IFTTT, zapier, and all apps. Also, technically, the Dynalist developers themselves could access it all.
In practice, it is unlikely that they would do that. They all appear to work locally, and only talk to the dynalist server.
I personally trust all of it well enough.