Technically you never "log in", if you're on a website, you typically identify yourself with your npub (if you gave your nsec, the browser keeps that locally and works out the npub and gives that to the website). Then when you use the site, your browser signs all your posts on your behalf.

No one but you and your computer sees the private key. Malware may figure out how to steal your key from your computer but they don't pinky promise nothing.

If you use an app, hopefully you've chosen an open source and well trusted app. If you have, then you already know that the nsec is kept on your mobile phone and not given to the app developers. If you did not, let's say yes, they pinky promise. But you shouldn't trust a pinky promise.