To trade or stake on most protocols, you first approve the contract to move the token on your behalf. This is normal and necessary. The problem is the default: many apps request an unlimited approval that never expires, so the contract keeps permission to move that token long after you finished using it.
If that contract is later exploited, or was malicious from the start, the standing approval is the door it walks through. The attacker does not need your seed phrase. The permission you already signed is enough to drain the approved token. This is one of the most common ways funded wallets lose money without ever being phished directly.
The fix is hygiene, not fear. Approve only the amount you need when the app supports it, and revoke approvals you no longer use. Reviewing the approval surface of an address shows which contracts still hold permission, so you can close the ones that no longer earn their place.