Phones have secure enclaves. If they did taproot schnorr secpk256 sigs (I don't think they do) you could use the secure enclave and not even see the private key in your own software.
Discussion
Yep. Biggest question is if you can inject your own window.nostr implementation to the wrapped PWA webview.