Let users choose, you can put a warning, Coracle it uses nip07 by default, otherwise nsec. Nip07 you have to trust the extension, you can also trust a specific web client, i can be using a burner nsec. Also if you open the web client in mobile there aren't many signers for mobile, what will clients require next for safety reasons, 2FA? I don't think we should treat users like children and decide what we think it's best for them, let them know the options and risks and decide.