Some attackers build vanity generators that look legitimate but record every key generated. Unless you are using an open-source, audited, offline vanitygen (like VanitySearch on an air-gapped machine), avoid them.