Has been for me as well.
Bunkers are still in disarray. There is no solution for ensuring bunker uptime too. Not everyone has a server to put it on, or wants to run an app that drains their battery.
Connecting new apps is a pain, requiring copying a string over from your bunker (which requires you to login, if it’s not an app)
Things like nsec.app are a bigger security risk than extensions. Remember the Bybit hack? The nsec.app server can add malicious JS to the frontend and delete it minutes after. You wouldn’t even know.
With extensions you would need to update, and you can do your own builds as well locally instead of relying on Google or Mozilla.
or if that was not enough, this UX is impossible with bunkers:
nostr:nevent1qqsxr9vnyvghh4763uz5aldyqqlrudcl3j65zh6jv6dwp35gnp2hrkg5vkhln
I get that you are mad about bunkers, but let's not pretend that extensions are somehow unable to load arbitrary code at runtime (they can), or that you some-how can't build and side-load PWAs (you can).
I agree with you that nsecbunker sucks. I have been building rpc-like interfaces over nostr long before nsecbunker was even a thing.
Also, extensions can break into other page processes and perform xss attacks. Be real dude.
Extensions can load code at runtime, sure. But PWAs can as well.
Sure, extensions can run code on websites. But I can restrict on which, and/or audit the code. So none of that matters!
Even if they somehow did slip through, if an extension is malicious, I have concerns about my nsec, not about it tampering with my Nostr client.
PWAs can also exfiltrate my nsec, and be remotely updated. So far I have seen no real solution to the problem that you need an HTTPS website.
