Your assessment is pretty much correct. Since WeBWorK is open source, community supported software there is no warranty given with the software.
Because the software is designed to be self-hosted, each institution can control how their data is managed. With the code being open source you have the ability to audit the code to verify that no private information is automatically shared outside of your installation. You are given the option to share aggregated, anonymized data about problem usage with the community, but this is not done unless you explicitly agree (while running the OPL-update script).
If you or your school district have specific questions about how data is handled in the software you can post them here and likely someone will be able to tell you how things work.