to the contrary,you just need to sign events which is generally accomplished with browser extensions (alby, nos2x) or remote signers (amber, nsecbunker).

sharing nsec with any app/service is an antipattern that we can't seem to get fully rid of (its the easiest to create in terms of onboarding but very risky). mobile apps tend to be a bit harder and you generally need to give them your nsec tho at least on mobile its a bit easier to ensure the security of that key compared to the web

go to nostr.net and you can see the offerings of browser extensions (on the right nip-08 browser extensions category)