You totally could replicate the nsecbunker "google-like" auth flow on the clients where rather than whitelisting a delegate key, this additional bunker just sends over the encrypted client secret. The important thing is that you aren't trusting a single entity with >= the threshold shares necessary to craft a valid signature. As long as that remains true, you can still safety rotate keys and know that any single malicious entity could not rug you.
How do we encrypt/decrypt DMs with Frost?
I haven't worked through how that would work yet. I'm by no means an expert on this stuff so I'm not sure if its possible. Hoping to chat with some ppl about this in Nashville next week!