most of their stuff are local, unless you have activated remote access on your unifi controller which will require an online account on unifi (ui.com)
i only have their aps and my unifi controller is hosted on a local machine, and so far i haven't found any suspicious queries from them, i havent done any packet trace or port checks because they seem ok for me
where the unifi controller hosted on a deb machine
one of the ap
as for access control, if your unifi controller is hosted on a local machine then it will just use specific ports that ubiquiti utilizes that im not familiar with (or too lazy to do a port scan). you may also host your controller online via hostifi or other providers or a diy cloud server (if you're onto that)
for updates, unifi controller will notify you if there are updates but its still up to the controller admin if they decided to do so.
as for janked device configs, i mostly experienced it on controller version 6.x.x and 7.x.x but not on most recent one (9.x.x) and yes it requires a unifi controller admin acct, you may also do scheduled backups of your configs so you can revert back just in case. and if you have no choice then you could locate device > poke reset > re provision on controller.