it doesn't leak it to websites, since extensions are isolated. damoose just takes it a step further and isolates it from the js-plugin environment. it acts as a native signer that is network-sandboxed. your keys are likely fine, this is just improving the security even more.