Security & legally it’s the same thing, having access to the tokens with ‘approve’ or them being in your canister.
You certainly should probably not ever approve a canister with ICRC2 that isn’t open sourced And/or Blackhoked/dao governed/Someone you really, really trust.
That is why we gave subscription utility to the NNS.