I don't see how their software can be compromised unless they were lying about how are the private keys generated and them being non custodial.
Atomic wallet is closed source. Anything could be hiding in the code, not just from them being actively malicious but also from a rogue employee sneaking something in, a malicious third party sneaking something in, someone compromising their app store account to upload a malicious app, or even just plain incompetence.
I am also reminded of the Copay wallet hack several years ago. Copay had a dependency on a specific JavaScript library which was no longer maintained. A malicious third party obtained control of this library, merged a malicious update, and it was pulled in to Copay updates without anyone realizing.
You should never write any wallet in JavaScript, and in particular NodeJS, because your project dependencies will pull literally hundreds of other dependencies, some of which are outdated, and there's no way for you to get around that situation. Instead of a bullet, it's like a hundred pieces of shrapnel from a missile and will almost certainly get you killed.