Your nsec is your account. Evil clients can steal it, dumb clients can let other people steal it.
Discussion
How does one log in without using their nsec directly?
Either by using a Nostr browser extension or a nsecbunker are 2 common ways
I use nos2x: https://chromewebstore.google.com/detail/nos2x/kpgefcfmnafjgpblomihpgmejjdanjjp
There are similar plugins for firefox (but I can't recommend one). I think alby works too.