if you don't think having a key isolated in a separate process without networking is much better than having it floating around in the safari's memory space, I can't help you.

ideally key stored in:

hw device > sandboxed process > browser plugin > webpage

saying I'm misrepresenting the problem is just not true, this is an obvious improvement short of hw device signing.

I guess it just comes down to how much you trust browser engineers to not fuck things up.