Yeah that's why we don recommend hot wallets for any real funds.
Also those wallets are usually really well vetted... We're still in the wild west here... There was a XSS vuln recently that extracted a bunch of priv keys from web clients.
Discussion
Got it. Yeah I just trying to think if conceptually, there could be cool use cases for generating new npubs for every message from an xpriv, where a service provider has the xpub. Like the Swan autowithdraw feature - they know it’s your pubkey but the rest of the network does not.