If managing Google Workspace™ security is not your daily job, you probably want some guidance \ best practice tips on how to evaluate all 3rd parties who have some kind of access to your data in Google Workspace. See some generic best practice tips below.
Check the scope that the 3rd party wants to access. Evaluate if that is fair for the functionality that is offered in the application. If the application should just work on a spreadsheet data, the scope to access 3rd party web service should not be necessary. Even the Gmail™ scope should not be necessary for an application that just process data of your spreadsheet. Also a common issue in Google Workspace add-ons, is that the scope request access to ALL files in Google Drive™, while just access to a specific file type (e.g. spreadsheet) should be sufficient, and actually just the file that is opened with the spreadsheet, to limit the scope further. If you have questions about the scopes of the application, reach out to support of the supplier.
Check who is delivering the application. If the application is offered by "firstname.lastname@example.org" you should have some doubts. A trustworthy company name (e.g. Salesforce™) should give your more comfort.
Every application on the Google Workspace marketplace (web application, add-on, chatbot) comes with a privacy statement of the supplier. That is a mandatory item for everyone who wants to publish an item on the Google Workspace marketplace. Check this document.
Check about support. You might not need it yet. However check how you can get support, when someone run into trouble for using this 3rd party application on his data.
See also Google Workspace admin help: Evaluate a marketplace app's security.