Was thinking about this, but I'd prefer the key app to not have any networking capabilities. It could still do remote signing, if the local relay gets the nsecbunker events. 

 "...to securely compartmentalize your digital life", similar to QubesOS? 

 Exactly. 

 Amber has an offline variant available.  

 Relay have a huge attack surface and can easily crash.
A key app must work 100% of time 

 The signer app can be on a dedicated computer.
https://nostrsigningdevice.com/ 

 Apps should do one thing REALLY well.
Which means apps must work well together.
Private key security is paramount, so there should be a dedicated app for that. Copying private keys into many apps is bound to bring problems.
Loading time is a crucial UX hurdle, and so data should be pre processed in a dedicated relay app, so that other clients don't need to make privacy degrading online queries.
With such a setup it might be possible to run useful nostr apps that don't even have internet access, but get everything from the local network.