Says you. A developer, either accidentally or on purpose, could very easily send that key to anywhere they want (or don't want in an accident). It isn't that hard to have an input prompt send the input to an email address. Attackers will create fake or copycat tools that do this exactly. It already happens with Bitcoin keys and even account usernames and passwords. It has been a problem for years.

Most people are going to use a single key for convenience and it only takes one instance to be completely rekt.

I don't have a specific solution other than something like an air gapped hardware device, but I am convinced that people will get rekt.