that basically says the user is a security vulnerability or we have a too complicated system where users need to sign events that they don't understand? :) (at the same time users complain they get asked too much) and any signing prompt is imo better than handing over the private key.

generally the user needs a bit of trust in the webapp. otherwise signing something is never a good idea imo.

I think there is a signPsbt function.