Proxying (and therefore passive scanning) requests via ZAP is completely safe and legal, it just allows you to see whats going on.
Spidering is a bit more dangerous. It could cause problems depending on how your application works.
Note that there is an Spider option to not use POST requests - this may be safer but is also likely to reduce the effectiveness of the Spider.
Active scanning is dangerous and depending on your app may create/modify/delete data.
So the only really safe thing is proxying and passive scanning, the other 2 could cause problems and could be considered illegal if you perform them on apps you don't have permission to test.
ZAP supports a ‘safe’ mode which will only allow you to do safe things, as well as a ‘protected’ mode which only allows you to attack sites that you define are in scope. We recommend you use either of these modes whenever you are using ZAP with a site that you do not want to attack.