Does the ZAP desktop client that connects to btcpay server, use the same bitcoin address that is supplied by the xpub key in the setup?
No it does not. They are different.
In laymen words, it’s like you have two wallets. One is your Trezor with xpub, where on-chain payments go. The other is your Zap for the lightning network.
The on-chain address for Zap will not be the same as the one in your Trezor.
LN is still new and there are plenty of technical and UI things that confuse people, ideally, in a year or two it will all be in one wallet without you even knowing what it is.
The “private key” for Lightning Network is on the server. If your server gets hacked, you delete your vm, your keys are gone - for now. As Lightning Network matures, these things will be way more secure I believe.