Agree. It's the same principle with #bitcoin private key.

What lessons have we learned there? Create, and keep, your private key (hence your nsec) offline.

This means, perhaps, something like a USB-C YubiKey integration for mobile devices. 

But...confirm message signing for every like, boost, zap? Can't do NFC, too insecure. Buometric? Idk. Seems a little bearish for widespread adoption...