Thanks for the quick reply João! Indeed, the confusion came from using Lock or Auth0.js as part of the universal login template, which I assumed would turn them into an embedded login. Thanks for clarifying that.
For the second part, I think I understand your point, but for the case of a single app, does it make any difference? The main point I see here in favor of an embedded login is the ability to keep it together with the rest of our app in our source control and reuse our CSS, whereas in the case of customizing the login we need to keep these templates in the Auth0 side and prepare a set of assets to be consumed by it. Definitely something worth doing if there is a security risk, I just want to understand if such a risk exists.