Not all clients store the nsec in client. Many store it in the device keychain and equivalent for Android. They simply reference the nsec where it is stored on device.
Which means when you paste in an nsec, it is not always being stored by the app.
If you put your nsec into a client, then that client has access to your nsec. The question there is, what, if anything does that client do with your nsec? So if you are on Primal, and you enter your nsec, does Primal send your nsec back to a server someplace and keep your nsec for nefarious reasons? This is why you might use a browser extension like nos2x or Amber on android.
In your last paragraph you discuss the servers (in #nostr we call them relays) being centralized. If you go to this page, and give it some time to load, you can see that there are hundreds of relays all over the world.
#Nostr relays are very decentralized.
https://nostr.watch/relays/find
You are very safe from being cancelled on #nostr. But that doesn't mean anybody will pay attention to you. The concern is getting an audience.
Discussion
It is being stored by the app, because unless it is being stored by another application like nos2x or Amber, the client can, and in fact needs to get the nsec back so that it can sign and decode with it.
The app can't just reference it, unless the keychain does the signing and decryption, which I don't think it does, but maybe I'm wrong here?
It is just storing it in a different memory location. It doesn't protect you from the client being malicious.