I would consider this a privacy concern. It's a little IoT device, but scale shouldn't matter. The landlord could be asking for access to one of your printers, door locks, cameras, or even a workstation at home, a cell phone, etc., and they'd all be off-limits, so I wouldn't treat this differently (unless you opted to yourself).
If it were me, I would let the landlord know that your privacy is important, protected by law, and you won't be giving her any access. Don't respond to any of her threats, and the issue will probably go away. They should know that they're dancing around all kinds of legal issues and will probably not push it. Otherwise, you can file a small claims case if you wanted.
Also, figure out what the "real lease" is, read it, and keep a safe copy somewhere. It sounds like the landlord is trying to bluff you at all angles, so it'd be wise to figure out what's legal and what isn't on your own.
A couple things come to mind about this, though. First, IoT devices, by nature, are much more vulnerable to attacks. You probably shouldn't have this device exposed to the internet. You could run it through Home Assistant, a VPN, or something more secure and still access it outside your house.
The second thing is that if it does get attacked, it could be used as a bastion host to your network. In other words, if an attacker is able to compromise your thermostat, then they are now on your LAN. This is where your private devices like computers, cell phones, and the like are connected. This is a classic way for people to get into LANs that they shouldn't have any access to.
Also, this is a little tin foil hatty, but don't rule out the concern that your landlord would be on your network with credentials to your thermostat. It's possible that, because they're nosy, they know a way to use the thermostat as a bastion host already and have ulterior motives. Just saying this to cover some more bases.
Good luck, and let me know how this all goes.