Yes, there is even no need to confirm logging to a new app themselves.
They will only use one app: snort/coracle. I want to approve them once on the main device that stores the main key.
I think it could be implemented simply by changing the code of snort/coracle to use window.nostr.nip04.encrypt/decrypt and window.nostr.signEvent/getPublicKey - so the same nsec-npub keypair in the extension will be used to communicate with the bunker, instead of generating a temporary nsec-npub keypair on every session.