A bot can steal your money without having withdrawal permission if they have trading permission like this one.
How so? I think Binance would love to hear from you if you know how.
Easy.
1. Bot developer buys illiquid coin, let's say 1000 ILL.
2. Developer places limit sell of 1000 ILL at $1 each.
3. Victim's bot buys 1000 ILL at market, filling the developer's order.
4. Developer places limit buy order 1000 ILL at $0.01 each
5. Bot sells 1000 ILL at market filling the developer's order.
6. Repeat 2 - 5 until the victim's account is drained. It wouldn't take more than a minute.