I can relate to this, clients are closing options to join in and only allowing some login abstraction and disregarding the basic protocol. It's starting to look like classical websites. A client should always give an option to insert nsec imo. The same goes for zaps, some clients only allow NWC zapping which means having something like Alby, to zap you would only need any LN wallet.
Discussion
Never enter your NSEC into a web client. Always use NIP-07 extension.
Let users choose, you can put a warning, Coracle it uses nip07 by default, otherwise nsec. Nip07 you have to trust the extension, you can also trust a specific web client, i can be using a burner nsec. Also if you open the web client in mobile there aren't many signers for mobile, what will clients require next for safety reasons, 2FA? I don't think we should treat users like children and decide what we think it's best for them, let them know the options and risks and decide.
Imagine bitcoin mobile wallets not allowing you to insert a private key, you could only receive or broadcast a previously signed tx by an hardware wallet.
