The push notifications are read/intercepted unless you provide a custom push notification service locally on your phone. Can't you do sharing through a specific identifier between apps?
It's possible to build a trustless nsecbunker: a bunker where your private key is not held by the online service provider, but by you in your phone.
Just make an app that receives signing requests via Push Notifications. The bunker server then simply reads new NIP-46 request events from the user's relay and Pushes it to the app. The app wakes up, gets the event and presents an approval screen to the user. After approval, the app sends the NIP-46 response to the client.
The entire permission system would run on your phone.
It would be like a 2-step-auth for every signature. Every like would hit the phone for approval.
Maybe nostr:npub1w4uswmv6lu9yel005l3qgheysmr7tk9uvwluddznju3nuxalevvs2d0jr5 can turn Amber into that.
Discussion
You can just encrypt the push message. The Push provider cannot see anything. We do that for Amethyst using Google's and Unified Push's API. No one sees anything.
