Interesting discussion that emerges from the conversation between two client developers. The basic question comes down to whether:

1) Should every Nostr app integrate all needed functions and thereby minimize third party dependencies? Advantage: simplified onboarding, standalone solution. Disadvantage: requires trust in each individual app developer, which becomes more difficult with each new Nostr client app.

or

2) Should things on the client side be built in a more modular way, using a separate app for each critical function? Advantage: trust investment only needed in one critical app, simplifies trust management. Disadvantage: no standalone clients, app stack on the user's side gets expanded, makes onboarding new users more difficult.

The "critical function" in this case is authentication via nsec. But in principle, it can also be applied to the Lightning wallet needed for zapping, or to security aspects like Tor support.

I clearly lean toward the latter approach. For these reasons:

Forget the onboarding argument. Nostr is already complicated enough, it will never reach the typical Facebook user who entrusts all their data to Meta and takes the risk of being harassed by the entire Meta ecosystem (WhatsApp, Instagram) if an algorithm or a "moderator" goes haywire. We Nostriches are more like the Linux users among social media protocols, rather than Windows or Apple users. We appreciate the advantage of modularity over proprietary systems. And I would rather keep an eye on how Amber (or any other similar key signer) is built and how it proves itself over time (stability, security scandals etc.), than monitoring each Nostr client individually.

Our onboarding is already more difficult, key pairs, zaps, decentralization... a new Nostr user has to deal with these things anyway.

We are a protocol, not a platform, we have a free ecosystem that unleashes growth potential ("you can just build things") that would never be possible in other, centralized environments. Look at how quickly it has grown in 2-3 years compared to Twitter, LinkedIn, etc. There, the last 2-3 years have only brought new frustrating functions like more KYC, more questionable business models for monetization, and a few trivial "goodies" like more characters, more emojis, or a greater share of ad revenue for the top 1% of users.

In this respect, we have already won.

The philosophical dilemma mentioned at the beginning of this post isn't appearing for the first time with the nsec topic. We've already experienced it with Lightning wallets. Should users get an external wallet from a third party provider (more effort, worse onboarding, etc.), or do we pack it into the Nostr client, as Primal and Yakihonne have done? Honestly, I don't find what Primal and Yakihonne have done that successful. This is also a security critical issue, I want to be able to switch wallets if something better comes along and not be tied to what the Nostr client has provided. Most users accept modularity here.

So: For security critical functions, I am clearly for modularity and self determination. The disadvantages that come with it are worth it to me. I want to choose my own zap wallet and my key signer too.