The nsec is stored in an encrypted form with keys generated at the browser, it's a light protection from someone just peeking at the localstore. But if they're smart enough to debug js then they would find the decrypted nsec somewhere inside js variables (same w/ extensions btw).

It is possible to add some pin/password to confirm on every use, although it would mean you can't set 'Don't ask again' checkbox - you'd literally have to confirm (almost) every use of the key. Do you think we need such advanced mode?