Ok, in that case I agree it would be better to enter the security token in the last step. Still to have access to a private encrypted browser session would be very difficult, so in reality it is only a minor security risk which is present for all other crypto currencies as well. Still good catch, by asking for the security token later on, or asking to enter again a security token, it would be more secure. Problem is that security tokens are valid for some time, so if you would login and enter the security token, the token would be the same 1 minute later when the security token would be requested for the second time 
In any case, I do not think TO would change their workflow only for Grin, since this security risk is present for all crypto withdrawals.
For the test exchange @vegycslol wants to build, it could possible be addresses since it only focusses on Grin withdrawels: