Yes, you are right.
But the extension is a single point of verification, so can be easier to monitor it instead of checking every Nostr project that pop up every day. Of course it can become a single point of failure too, but open source + devs reputation is a good starting point.
Reproducible builds and a caring community could be a good addition.
Keys rotation / revocation / delegation probably the final solution.
How do you rotate keys in Nostr? What happens if someone forgets or loses or deletes their private key? What about some kind of 2FA or 3 or 4 FA?
There isn't yet a key rotation mechanism, we are talking about it:
https://github.com/nostr-protocol/nips/issues?q=is%3Aissue+is%3Aopen+rotation
NIP-26 is about delegation, was proposed and is already used by minds.com
https://github.com/nostr-protocol/nips/blob/master/26.md
I guess that delegation could easily be combined with 2FA.
