As it has been pointed out several times previously, the argument of being a “security hazard” is equally applicable practically to every desktop aplication or phone app - most would have full network access and access to your storage/contacts/etc. Same with your browser extensions - quite a few have full access to the content of the pages you are loading or the texts you are typing. In this case, as also has been pointed out, you can use some means of reducing the risks (such as creating a CSR or ensuring no data is sent back once the app is loaded, etc), but in essence it is indeed a matter of trust, like with everything else.
NB: For ZeroSSL specifically that has already been explained I believe. Apart from having no access to what you are entering/generating/doing, the site is not even using cookies and it does not offer any verification helpers (such as ftp uploads for example) or key generation involving any server side code. If any helper functions ever appear on the site (perhaps some diagnostics in case of errors you might want some help with), the necessary explanation of what information might be required to be seen by the server will be given and explicit permission to procees will be requested.