I think a weird UX piece for end users will be - is this login as in share my pubkey, or login as prove I control the private key.

It’s perhaps subtle, however we may need better nomenclature.

May things may just need air know how to present your view (impersonate?) - load your relays, profile details, contacts, etc.

Others may also want to create events (authorise) on your behalf, like add a contact or create file event. It’s more on-demand.

And others again, may need you to prove (authenticate) initially, and then optionally allow other creation too (authorise).

Sometimes an extension controls what can be signed (like which event kinds), sometimes a client app will have soft fails or hard fails if you deny access.

It all needs massaging..