That is normal - a local connection is required for Anki’s web frontend to communicate with Anki’s backend.
There has been one instance of a malicious add-on in the past, but I’m not aware of any malicious shared decks, and they do not have the level of access that add-ons do.