With certificates/"delegates" (nip-26) you can entrust the private key -- non-extractable -- to a hardware key store like Android Keystore, TPM, dunno what iShnitzels have.

Everything else is nincompoop shenanigans.