Can a zigbee/z-wave device be malicious

I was buying some buttons from Amazon, then I saw the extract same item from AliExpress. Same look and "pictures of item" and in some cases same brand. This brought a topic in my head, "can a zigbee/zwave device be malicious". Can it? Does the hub(Hubatat in our case) block security concerns?

I understand devices might be crappy in some other way, but how safe security?
I know amazon can be just as creepy.
Where do people buy their devices?
Can I buy on Aliexpress? Opinion on the devices, not the sleazy vendors.

Yes and no. Unless a z-wave/zigbee device had multiple radios (eg. z-radio + cellular), it cannot phone home with information about your network.

On the other hand, a bad actor zigbee or z-wave device can certainly make your z-wave or zigbee mesh non-functional by flooding it with data packets, malformed or otherwise.

The probability that the devices you found on AliExpress lie in either category approaches zero.