Downside is that the private keys have to be online in order to support on-demand signing requests and grant / revoke logic, right? 

 That’s my understanding. 

 Try nsec.app to dip your toes