You could. The k1 ends up being known to the wallet and anyone who can view the QR on your screen. Everywhere else is subject to tls.

I generate a random 32 byte k1 and set it to expire. That seemed good enough to me. More or less the security of a magic link.