Depends, if the app is open source you can at least verify the code to check where they store it. Usually an app (unless malicious) will store it in your device's local storage. This is still a lot of work to verify every app, for better security it would be beneficial to store it in a signer app and only have to verify the signer's security, this way you can still "login" to many apps without ever sharing your nsec with them.