Proxying (and therefore passive scanning) requests via ZAP is completely safe and legal, it just allows you to see whats going on. Spidering is a bit more dangerous. It could cause problems depending on how your application works. Note that there is an Spider option to not use POST requests - this may be safer but is also likely to reduce the effectiveness of the Spider.
