1-2 is correct, but with NIP-07 the attacker only has access to your account while you're using the XSS-vulnerable application, not after you close the application or vulnerability is fixed. Still, I want to make it easier to use Iris without giving the "allow forever" permission.