Instagram data and security
Spotlight is a registered app with Instagram (Meta) and makes use of the Instagram API.
This Instagram API can provide a lot of data to registered apps like Spotlight. However, most data is locked behind a permission requirement.
This means that we, Spotlight, need to ask Instagram (Meta) for permission to get access to that data, and we will not be granted permission if the data is not relevant to the app, is misused by the app, or can be exploited by the app. Meta meticulously tests and reviews apps before they are given their necessary permissions.
In turn, this means that the only data that an app (or plugin) like Spotlight has access to is the data that you see being used in that app. For Spotlight, that would be basic data about the Instagram user (username, bio, profile pic, etc) and data about their Instagram posts (image, video, caption, date, etc).
For full disclosure, the Spotlight verified app has access to these user-related pieces of data, these for posts, and these for comments.
Meta is incredibly strict about security-related concerns and their data. So much so that Spotlight has gone through multiple rounds of testing and verification by its security teams.
Although apps may misuse data, you have the benefit of knowing that Spotlight is a WordPress plugin, which in turn is a self-owned system that can be monitored by you, the user.