If he's pulling anything but a domain check for valid licensing it's more than what he needs to be doing. Anything else is NOHB. Like I said, I just deleted the app and won't do any further business with him.
Doesn't matter if it is "sensitive data" or not.
I do agree it is a bit extreme for an add-on. Only other one I know that collects path info is @LP-John's form add-on as it saves the path in WHMCS. But many softwares outside xF do it including WHMCS and almost all add-ons for it, Softaculous.. etc