Yes, beside the fact that it is never 100 % secure to connect something to the internet, you can consider the usage as secure. Loxwebhook has implemented measurements to mitigate the risks:
Key authentication A request is only forwarded to the Loxone Miniserver if a matching authentication key is provided. Please read the question “How can I be sure my authentication keys are secure?” on this page.
Transport layer encryption Data that is transferred over the public internet is TLS encrypted. Only https connections are allowed. A widely trusted CA (Let’s Encrypt) is used. This keeps the data save while it is on the public internet.
Rate limiting for Requests Loxwebhook does not accept more than ~1 request per second. This makes brute force attacks on the secret keys nearly impossible and prevents the Loxone Miniserver from being overloaded.
Beside all security measurements provided by Loxwebhook you need to be aware that every use case for loxwebhook involves someone who sends requests. You need to trust this second party.
Everybody who knows a key can access the assigned control(s) on you Loxone Miniserver. That’s why you must keep them secret. You can (and should) use any ASCII-Character (A-Z upper and lower case), numbers, hyphens (-) and underscores (_).
Use hard to guess and long keys. It’s obvious that a key like “lamp” is not suitable. UUIDs are a good choice. You can easily create them. Use cat /proc/sys/kernel/random/uuid on Linux or [guid]::NewGuid() in Windows Powershell.
Create a unique authentication key for every purpose.