wdym? this is a problem with all nip07 plugins except ones that communicate to a native app or device that does the signing. I think all nip07 plugins currently work this way.
Discussion
So than that's fucked up
Is it true nostr:npub180cvv07tjdrrgpa0j7j7tmnyl2yr6yr7l8j4s3evf6u64th6gkwsyjh6w6 Nos2x extension leak the nsec on Javascript environment?
And what about Amber nostr:npub1w4uswmv6lu9yel005l3qgheysmr7tk9uvwluddznju3nuxalevvs2d0jr5
it doesn't leak it to websites, since extensions are isolated. damoose just takes it a step further and isolates it from the js-plugin environment. it acts as a native signer that is network-sandboxed. your keys are likely fine, this is just improving the security even more.