Surprisingly, I don't recall a single instance where anyone's Nostr account was hacked. Entering your private key into an insecure app would be the most obvious way how that could happen.

Compromise of a popular app would be bad. Maybe we'll need app and device specific keys signed by other keys of yours at some point.

However, Nostr doesn't have the traditional attack vectors associated with passwords, email, SMS and third party account recovery, which is already very good.