The recovery account of a Steem account is by default its creator. Accounts created via Steemit.com have @steem as recovery account, accounts created by dApps have the corresponding dApp account as recovery partner.
From account access perspective, there is no difference if the account was created by @steem or any dApp. Neither of them have access to your private keys just because they are listed as recovery account. This, of course, assumes that the recovery partner never knew any private key or master password of the account it created and the initial set of keys was either selected by the user of the new account or randomized in the browser of the new account user. This is true for all dApps with signup that I know of, but may not be the case if an account is created "manually" by other users.
Steem accounts can be recovered with a master password or owner key of the account-to-be-recovered that was valid at some point in time within the last 30 days, and the active key of the recovery partner. It requires both parties, the account itself cannot recover the account on its own, and the recovery partner alone also can't access the created account on its own. This means there is no control or access to the claimed account from the recovery partner unless the created account is signing the corresponding recovery ops as well.
However, if an account recovery is required, it is the responsibility of the recovery partner to ensure, that the person requesting the recovery is actually the rightful owner of the account-to-be-recovered. Steemit uses the email address and phone number that was entered at account registration to verify the identity of the requester before starting the recovery. dApps also need to record and store off-chain identification information if they want to provide account recovery options. I don't know to which extend this information is requested and stored by dApps during the signup process. It is probably worth to approach account creator dApps and ask about their recovery procedures.
The recovery account can also be changed and set to any other account name. However, it takes 30 days until the changes become active. If you don't want to trust Steemit or a dApp with account recovery, you can set your recovery account to any other account - preferably a person that "knows" you and is technically capable to perform a recovery if needed.
Thanks for this comprehensive explanation. It's very helpful.
This post is supported by $0.05 @tipU upvote funded by @funtraveller :)
@tipU voting service guide | For investors.