This (slow opt in) is what we're working on now with nostr-login widget, signup starts with a local key and then when user has actually used the keys and signed something etc we'll be nudging them towards "key backup" - importing into a nip46 service etc. 

You're suggesting a new kind of service where user enters a password and app sends ncrypt to a server so that if local copy of nsec is lost (or they want to use another app) then ncrypt is downloaded, password is entered and nsec is again stored locally. Right? This kind of "ncrypt store" is actually part of nsec.app setup (we store ncrypt on server so you could "login" into nsec.app in another browser/device), but you're proposing to make it a separate thing. Sounds interesting. The problem of apps having raw access to nsec still holds, but at least you're not copying it around, and password can live inside the password manager. Still a step forward over "nsec login", I would say.