Y'all worry about protecting your nsecs too much! Just be loose with it! What are you hiding! 😜

i think they are stupid. password breaches due to browser and mobile device app caches are the smallest problem compared to the cleartext storage of your private data on siloed trusted third party "cloud" apps.

having said that, i wish more people would realise that airgapped, NFC and USB connected devices like yubikeys and tapsigners are the only serious security.

nsecbunker and xnos and all this sort of thing, they don't fundamentally change the equation in terms of the fact that any app running with your permissions with filesystem privileges is vulnerable.

android devices already partition app filesystems hard using kernel namespaces.

no other app is going to easily gain access to any profile data stored by the app in the standard location. the only concern is if it for some reason writes such data outside of that with general filesystem access permisisons. those permissions are not very clear, to me they seem to give read and write access outside of app profile folders, but should have more clear control - that you can only READ outside of the profile folder, so you know it can't possibly be writing your key somewhere another app could access it.

Problem with nsec auth is that it's probably not a problem at this moment in time due to a lack of (enough) traction to make nostr appealing to bad actors. However, as the network grows so will risks and nsec interception (in various ways) will be more a thing at that time. Personally I agree that the option to paste a private key into an app or website should be "normalised" doesn't matter if just nostr or for a Bitcoin key or for anything else that might evolve in the years to come.

I guess the bottom line is that we need more means to safely authenticate on web3 protocols. It could be something like a key-managing signing device that doesn't even have a wallet service attached to it but something is definitely needed. However, I think for now you're good to use nsec auth but we should move away from this method as soon as possible.

Thinking about this from the perspective of a person who hasn't been in this space for as long as I have, careless handling of keys because it appears to be "normal" isn't very appealing.