in the end the horrible thing can happen you can just try to avoid it but there is no guarantee and always a risk
1. get references and check with those. not super reliable as the dev won't give you bad references but maybe you are "lucky"
2. contract stating all the intellectual property things
3. the dev should be in a country where there are proper laws on intellectual property. If those are not being enforced in that country it will be difficult to make a case if not impossible.
3. As Biju wrote, having the dev in your country is easier when it comes to claims but in case of EU this can be in all the EU countries.
4. what would bother me most is giving out all the credentials (DB, payment login and whatever secrets and keys you are using). I would exclude the production secrets from git updated and have them locally and give the dev a local file to sandbox testing credentials.