All right.
Apart from checking the legitimacy of the URL, I don't also know of any other security defense other than a visual check by the user.
I know there are some that go a step further and validate and alert the sign message in Web3, but to do this, the attack case needs to be templated/specified.
The signPsbt prompt window is going to be very different from the signEvent window. Everything to know about each input and output will be displayed to the user, including the script.
The wallet (soon tm) will also have a `window.bitcoin.register_xpub` method for registering signed xpubs into an address book, which the signPsbt prompt will use to highlight addresses for simple verification.
