"If you hesitate to paste your nsec into the app, we totally get it - just use your (or someone else's) npub to log in and look around. However, if you do add your real keys - those are handled by a separate library, stored in an encrypted form and protected by the Android keystore, inaccessible to any JS code, immune to XSS or app-level bugs."

pretty sure nostr:npub1xdtducdnjerex88gkg2qk2atsdlqsyxqaag4h05jmcpyspqt30wscmntxy isn't trying to get your nsec...