Would this make my coins "hackable/stealable" by any 0 day chrome/firefox/browser exploits?
If the app is linked to your bitcoind, and an attacker has a way to execute arbitrary code within the browser controlling the app, then quite possibly yes.
Not quite possibly yes, the answer is completely yes. It's for this exact reason that I've deprecated the Local Server plugin in 0.2, or at least relegated it to a highly not recommended option when the Block Explorer is available (which conveniently enough only requires the public BitCoin address to show your balance, rather than having to set up RPC information).