Actually both nsec.app and amber work according to master nip46, they just use the same remote-signer-pubkey and user-pubkey - nothing in the spec says this is forbidden, it's a valid behavior.