Is there any risk to wallet funds when connecting a wallet in a web page? (but not signing anything)

I'm wondering about possible risks, if any, of users connecting in web page (just connecting, not signing anything).

Is it even possible to make a user to sign anything without prompt a metamask pop-up showing the signature message?

Or even in the case of showing a pop-up requesting the user to sign something, is it possible to hide the bytecode data to be assigned and show only a fake message instead (a simple confirmation message as string, per example)?