I have not tried using nsecbunker to share access, but from my understanding what you want is:
- add npubs that are allowed to control the main key
- set permissions for each such npub - is they can accept connections, confirm certain kinds, etc
- then if one of those users are trying to log into an app, they would confirm the connection/signing themselves (but within limits that you've specified)
- all this without your friends getting access to your main nsec, which is stored safely on one of your devices

Is that roughly it?