Better, however a supply chain attack on a dependency could leak passwords even from a signer. It also makes the maintainer of the signer app a larger target, ultimately multisig deterministic builds and releases help with that.