I think telling people to generate their keys with something like Amber is probably the way. Then Amber's UX can ensure the private key is handled correctly.
The sheer number of people who have submitted their privkey/nsec for verification on https://verified-nostr.com is quite staggering. And that’s despite a bold, red message to only send the pubkey in hex.
Fortunately for them, I ensure those submissions are discarded. That said, there really should be a better way for key management and/or training for new folks to realize the privkey/nsec is basically their password.
Discussion
That's it! If all your apps can delegate signing to Amber (or an equivalent), then the user never has to handle their nsec. And if they do, Amber can make it super clear what the risks are.
