deriving shared secrets out of a message from your nsec should not require permission at all. at all.

if someone is already inside your browser or computer that's a whole separate problem to signing stuff and sending it out, i really hope you get the distinction