Thanks for the transparency! Keep up the hard work.
Might be my ignorance to the tech but I thought all signing was done on the front end and so signing in (with an extension for example) was just a client side session and that the nsec never got shared server side.