Old story. See, for example, Roon remote security.
I tried to interest a Roon developer who was at local (Seattle) event some months back. No success as far as I could tell, in line with responses I’ve seen here. Roon as a development organization doesn’t seem to accord priority to this security issue.