Unfortunately yes. The app is built using preact and I'm not injecting any user-generated html, but there's always the risk that bad code gets merged or iris.to gets hacked.

I hope we'll have app-specific keys at some point, and a good way to connect them to the same identity (and disconnect if they get pwned).

In the meantime, any good solutions for wrapped PWA key handling? Perhaps custom code could be written for android & iOS apps that provides the window.nostr api and keeps the key safe.