Yeah this is something I care deeply about. I'm pretty paranoid when it comes to this stuff, which is why I build a tool I call NVault, it puts my nsec behind multiple layers without the code to extract it, ever. I think nvault is a pretty ideal solution for paranoid desktop users for the isolation benefits. Only remote signers can help mobile users and that has it's costs too.
That said, I'm not a mobile developer, but to me, having an nsec on a mobile device is identical to a hot bitcoin wallet. Often apps will store the nsec with symmetric encryption derived from a password, however this still requires the nsec be available in memory and accessible within the same process's memory space. I'm not usually concerned with keys at rest on modern mobile devices with asymmetric encryption. It's what can happen when the nsec is available in plaintext in the applications memory space.
So yes when the nsec is local to an app, I think you should have slightly higher concerns. However generally speaking it's more likely that keys will leak based on user error or phishing than though an application flaw, at least in the short term. For example, copy/paste to another app and you forget to clear your clipboard, or you accidentally pasted in a form or something like that. With browser clients they can be open to XSS attacks that can also leak keys. The handwoven part is that well it's secure as any other key or password you likely already use.
Also feel free tag me any time you maybe have questions like this I could probably answer more in depth, because most of these apps are open source