Because, one way or another, the client needs to have your private key in order to do anything (post, like, boost, change your profile, etc). So the two options are:

1. Paste in your private key and hope that the client is secure enough to handle it carefully. To be fair, I'd say most clients are just storing them locally and never looking at them so it's probably ok-ish.

2. Use a wallet/extension like Alby that stores your key for you (and, at least in theory, does it better since it's a crypto wallet built expressly for that purpose) and then does the signing for you each time you try and interact with the protocol.

On mobile you're pretty much stuck pasting in your key. On desktop, you can use Alby and feel a bit safer. It also makes it easier to hop between clients.