It sends your username and the NTLM hash of your password. The hash can be used as-is in some instances to access different restricted network shares and such by an attacker, the pass-the-hash attack. It could also be potentially taken and cracked offline.
That seems really dumb from a Windows standpoint, why would that be allowed? I assume it's mainly for people who just open up sharing everywhere for convenience or something?
From a user standpoint, though, if you're going to fall for that you'll basically fall for any phishing attempt/malicious url that's posted in chat, and I don't see them turning off all links. They should still absolutely restrict what gets turned into links, though.
As I said before, from a personal use standpoint, say you want to get 20 people together on a web chat and you don't want to bother with registering 20 users, zoom is fine. Put a password on your meeting, be careful who gets in there and who puts what in chat, etc., and you should be fine. Use the web client if you're extra paranoid about spyware (though if you're that paranoid I don't know why you'd have a facebook account or use things like google). Performance-wise and ease-of-setup, it works great. If you're a company or you're sharing private or privileged information, probably look elsewhere.