Let users choose, you can put a warning, Coracle it uses nip07 by default, otherwise nsec. Nip07 you have to trust the extension, you can also trust a specific web client, i can be using a burner nsec. Also if you open the web client in mobile there aren't many signers for mobile, what will clients require next for safety reasons, 2FA? I don't think we should treat users like children and decide what we think it's best for them, let them know the options and risks and decide.

Imagine bitcoin mobile wallets not allowing you to insert a private key, you could only receive or broadcast a previously signed tx by an hardware wallet.