A few months ago, Zoom caught a lot of attention for running a local webserver in the background after installing their desktop app. They did this to avoid the "Do you want to open this link in Zoom" prompt that appears in most web browsers.
Figma's desktop app does the same thing. When opening a link to a Figma document, the webapp will make a call to https://figmadaemon.com:44960/figma/desktop/can-open-url with userID and url parameters.
If it determines that it can in fact open the url, then the webapp will make a call to https://figmadaemon.com:44960/figma/desktop/open-url with the same parameters.
After some quick investigation, it turns out this figmadaemon.com resolves to 127.0.0.1.
# ignoring dig's comments and empty lines
$ dig figmadaemon.com | grep -v ';' | grep '\S'
figmadaemon.com. 21560 IN A 127.0.0.1
I haven't explored an attack vector using this, but I would have preferred Figma disclose clearly that they are running a local web server and would provided an option to disable it.