after working on Damoose (safari extension), it seems nostore is pretty insecure because it exposes your private key to the javascript environment.

Since we store your key in the iOS keystore, we can just access this from the plugin background process instead of the browser's javascript runtime environment.

We can sandbox the plugin process to disable outgoing networking connection, so it can only send messages to and from the browser, so it should be way more secure than what nostore was doing.