Thanks for sharing! The reason why we require the Whaleshares posting key is that there is no token-based authentication service such as Steemconnect for Whaleshares yet, so it is the only way. We have implemented a check so that users can only store posting keys with us and not active/owner/memo keys. Security-wise, we store the posting keys like Steem dApps store Steemconnect tokens. Utopian got hacked already, so this is not impossible, but unlikely if the hack does not come from an insider like on Utopian presumably. We are confident in our security measures, but we would love to see a "hacker" try as you suggest :D
If we ever got hacked, users would have to change their keys instead of revoking their Steemconnect tokens.