My Sonoff Zigbee dongle presents itself on my Linux home server as a USB serial device (/dev/ttyUSB0) which gets forwarded to the zigbee2mqtt container which talks to it. Perhaps under a different host OS it might try to deploy something nefarious, but I'm not particularly concerned.

And what about the non technical people, the majority :)?

Will they have the same setup?

Those people probably aren't buying USB dongles that depend on a server in the first place; They're using one of the many "hub" devices out there instead (with varying degrees of privacy and network security).

Why wouldn't they buy a zigbee USB dongle? ...

Because it presupposes owning and administering a server to host it, which seems like it would exclude someone from the "non-technical user" segment?