that still ultimately requires putting your nsec in an untrusted website which is a bad idea. I think the most "normie" friendly way to do things would be to ultimately be to have a way for people to delegate key management to "identity providers" that people register for with using a regular email that then handles their keys and signs messages over https (and does nip-05). This of course requires trusting the identity provider but provides account recovery and still provides the advantage of not being tied to a single relay.