Technically speaking, if you want to be most secure, you'd generate your nsec and npub locally, and not even let the first client you use generate them for you, as that provides your first gaping security hole. There's some information here that can help with that: https://orangepill.dev/nostr-guides/guide-nostr-key-generation-and-management/