Because softwar.

The idea is move the signing process offline just to establish the authority of the client to access the server. So that any hacker operating purely in cyberspace has no chance of entry. And any hacker operating irl has walls and guns between them and their target.

In fact, if you needed even more security because, say the server won't accept any data to establish an ssh channel, but it knows your xpub, you would need to, for example, move your utxo to the next address in your npub with a challenge token attached to the transaction. The server sees that block get mined, get 6 blocks deep, and only then give you access.