I've always been suspicious of Metamask's security, web browsers have traditionally been terrible with security and building a secure application on top of them is a recipe for disaster.
The state of Hive is even worse in terms of security, the only widely implemented options for authentication management here are Hive Keychain and HiveSigner. One is an extension, and one is served from a web server with seemingly no offline/standalone version. Not only that, HiveSigner is served through Cloudflare, which means users of Hivesigner have to trust Cloudflare, the developer of Hivesigner, and the server host of Hivesigner not to maliciously inject password stealing code in the page.
You should not trust any webpage served through Cloudflare, what little decentralisation Hive has is completely negated by the fact that every major in-browser application for accessing Hive is served through Cloudflare.
If a major adversary, such as the US government, wanted to destroy Hive, they could obliterate the entire platform within hours by forcing Cloudflare to inject malicious code into every major Hive website that burned everyone's tokens and reset their keys.
If they wanted to completely destroy public trust of Hive, they could do so for a mere few minutes. Such a short time would be very unlikely to be caught by anyone before it's too late and Hive would be blamed for the losses caused.
The only thing preventing Cloudflare from silently mass collecting data on Hive users right now, and the reason I've stuck around, is the fact that the actual API endpoints don't go through Cloudflare. Either developers were smart enough to realise that Cloudflare is a major security risk, or Cloudflare broke API access so often that they were forced to use direct access for the API.
The few people well versed in security would be able to manually check for a compromised page before trusting it, however that takes up quite some time and is not applicable to the average user.
The only method I've found so far for accessing Hive that can be trusted not to suddenly be compromised by a third party one day is Ecency-Mobile/Esteem-Surfer, as it's a standalone program saved locally on your device. However, Images are still served via Cloudflare, so if an image parsing vulnerability was found it could still lead to compromisation. Such a vulnerability is a much higher bar though and are often patched out extremely quickly before anyone manages to use them maliciously.
As for Hive Keychain, the other issues basically make it irrelevant, though it does seem to have less single points of failure than HiveSigner does.
Cloudflare is a direct enemy of decentralisation, they've managed to siphon a massive chunk of the internet through their servers and currently have the biggest data collection system in the history of the internet. Regardless of if they're using said system right now to harvest data, they are not to be trusted in the slightest as they could just as easily begin using it without anyone knowing.
I may make a dedicated post about Cloudflare, and possibly one about the failings of Hive. There's great potential in Hive and it would be good to see it overcome its current failings.
Corporations are not our friends, they are an enemy to democracy, privacy, and freedom.