Some plain English quotes one of the sources below.
“First of all when you connect your wallet to any of the DeFi platform you are only allowing the site to view the addresses of your permitted accounts. That is they can read the value of Ether and the ERC20 tokens that you have in your account. They cannot spend your funds until unless you approve it.”
TLDR: Connecting only gives view permissions to the addresses in your wallet. Just like you can tell me your address and I can do nothing without it except sending you funds.
“If you connect to a site it can only view your public address and prompt you to sign a transaction it can’t steal anything if you don’t sign the transaction. Only connecting is not really dangerous except for privacy reasons (the developers could connect your IP to an address and track you)."
It can’t steal any funds, tokens or NFT’s, nothing.
"It’s game over if you give your private key (or the seed phrase) to someone. Because with the key they could sign malicious transactions themselves.”
Obviously. So don’t leak your private key. But you already knew that.