If security is critical to your application, I recommend using the boot signing feature available on the RP2350. You'll find a description of the signing process here.
Websites like this one cannot reliably sign your image for you due to the fact that, in the end, you'd still need to trust that the server you're connecting to wasn't taken over by a third party. This is true of any on-line service.
It follows that your chip's Secure Boot configuration will also need to be adjusted off-line using tools provided by the chip's manufacturer.
To uniquely identify boards, and to authorize access to their uploaded firmware, FlashMyPico may use both the RP2350's 64-bit public chip ID, and the lower half of its 128-bit private chip ID (RANDID[0:4]). The entirety of RANDID may be read from your chip, and then sent to the website, making RANDID unfit for use as a private key in your application. RANDID reads cannot be restricted by the Bootrom as long as the PICOBOOT interface is enabled.
The flashing tool relies on the PICOBOOT USB interface (enabled by BOOTSEL) to access the chips. Please note that you won't be able to use this tool after disabling PICOBOOT on your chip.