The real security is in keeping your keys safe and not signing events blindly, haha. When I use Jumble, every event (except AUTH) asks for my consent before it’s signed. I know that with this configuration, many apps become almost unusable.
Discussion
Yes, many apps assume that as soon they detect an extension the sign is immediate, and miserably fall with some sort of timeout if the user take some seconds to approve (or didn't approve at all).